I just wondered if someone could install malicious firmware from remote on IPMI controllers (similar to a rootkit)? Is something like that possible? I though about installing a keylogger sending summaries over SNMP. I know normally IPMIs are in different subnets, protected by passwords,.. but commit that the attacker has knowledge to overcome those barriers.
At last Defcon, Jonathan Brossard gave a talk regarding hardware backdooring, and how it is possible to install a rootkit into a bios or a NIC rom (remotely).
They were also able to reverse engineer the kon-boot payload and include it in their malware.
The slides can be found here, and the article is here.
So yes, I'd say it's possible to get access to IPMI and maybe install a rootkit on it...