As best I understand this (mostly thanks to the comments on reddit), some security researchers have found a way to get the rootest of root-level access to certain Intel systems via the USB port.
If I'm understanding this correctly, it's one of those things that is much worse for organizational users. It requires a more recent (Skylake and newer) CPU with the Management Engine enabled, as well as certain additional issues (either a bugged BIOS or some settings not turned on). From the authors' summary:
To defend against such attacks, we advise that users activate Boot Guard, verify the status of the DCI enable bit, and disable debugging in the IA32_DEBUG_INTERFACE register (even if the register is disabled, DCI can still run but it is unable to interrupt and therefore access to memory and registers is impossible.