There are attacks where flashing a malicious firmware on to the device prevents real firmware flashing (just updates version numbers, re-infects the flashing payload on write, etc). However, those attacks can be mitigated by physically connecting to the flash module and writing to the device directly through SPI. If you've got a chip between the BMC and the flash memory as the report suggests, it can re-infect the memory even when you're done. You could even read the contents of the flash memory directly and find no evidence of the attacker, as the attack code might never actually write to the memory and may only load when the BMC boots and attempts to read from the flash memory.