That has nothing to do with where the vulnerability lies (in firmware), or how the base management engine functions, which is what I was talking about. I was speaking generically and not catering to this one vulnerability.
I was referring to this vulnerability. RTB, we've been over this before. There are no attacks that can render system control through the IME hardware without a software layer component. Such vulnerabilities reside exclusively within Windows as driver sets for other OS platforms either do not exist or are specifically engineered to prevent unauthorized access through the IME hardware. Additionally, such vulnerabilities can only be access by/through Intel network devices hardwired to the chipset. Network chipsets from other vendors are not vulnerable. Network devices not hardwired to the board are also not vulnerable.
All of the vulnerabilities associated with the IME require that each component of the CSME subsystem platform be both present and functional. If any one component is not present(disabled or not installed), not configured property or is restricted by system policies the vulnerabilities can not be exploited.
If you do not install the hardware drivers in Windows, the vulnerabilities are null.
If you disable the hardware in the Windows device manager, the vulnerabilities are null.
If you do not install the Advanced Management software in Windows, the vulnerabilities are null.
If you do not properly configure or provision the AME, the vulnerabilities are null.
If you do not use the provided(built-on) Intel network connection for network/internet access, the vulnerabilities are null.
The reason Intel lists these vulnerabilities has "High Risk" is because a lot business' and companies do use the IME as intended and properly configured. For us end users, the problem isn't as important because most of us don't use/need the IME. Disabling it in the Device manager, not installing the drivers/software effectively guarantees safely for any attack against the IME.