If an attacker has freedom of movement on your management network
the vendors may be correct in assuming you are screwed already.
It is however not straightforward to detect or disinfect from such an attack though, and this could be worse than the attack itself. Potentially rendering the hardware itself a risk and a scratch restore being insufficient.
It's an interesting vector, and anyone with their management networks exposed to the internet are doing the equivalent of leaving a truck full of new trainers unlocked in the middle of the street... (and that didn't end well either)