I have recently been experimenting with my Supermicro X7SPA-HF-D525, and found a very serious issue with the BMC. I bought my board in September, and it had a very old firmware on it. It should be noted that the board was marked built in July 2011, so it seems that Supermicro are not burning current versions of the firmware to new boards. The same BMC firmware is shared by all Supermicro boards having the Winbond WPCM450 BMC, most of the 'F' boards. The issue is prior to version 2.54 of the BMC firmware it was possible to log into the BMC's SMASH console using no password at all. I'll explain this in detail.
If you have used the web interface for the BMC you may have noticed the "Anonymous" user, and disabled it as I did. The problem is this does not stop this user being used with the SMASH console. In their infinite wisdom the developers gave the user a blank password, so you can log in to SMASH by SSHing to port 22 on the BMC's IP address. Log in with "Anonymous" and no password. You then have access to SMASH. All it takes from that point is to type "shell sh" and you will have root access to the BMC's linux OS. Note that on some earlier versions of the BMC firmware the shell command was disabled, but for the majority it is available. From the OS you can pretty much do what you like to the system, as you have full access to the main system though the BMC.
There are several options you have to mitigate this vulnerability:
Upgrade your BMC firmware to the latest version, clearing all user configuration. This automatically disables the Anonymous account.
Set a password on the Anonymous account. Disabling login is not sufficient!
Ensure the BMC port is not connected to a network that has access to the internet.
Disable the BMC entirely.
This assumes you have also changed the default ADMIN:ADMIN login as otherwise it is just as easy to get in that way.
Don't ignore this thinking it won't happen to you. The exploit is in the wild, and people are using it to hack machines and subvert the BMC OS for their own purposes (mostly sending spam and DDOS it appears). Supermicro have not publicised this issue which, given their market segment, I consider a heinous failure.