Most likely it is using SPI https://en.wikipedia.org/wiki/Serial_Peripheral_Interface, that requires four pins and the two remaining ones are power and ground. SPI what is used to access EEPROMs and flash memory, so an attack that you can do is daisy chain such a device in the path to the EEPROM the board management controller uses as its firmware storage. Then you can very easily insert your own instructions and get the board management controller to execute whatever you want.