Well, it can be used in a chain of attack to jump from one compromised, external-facing machine to another only internal one that might hold more sensitive data. Or to run some inside-job (although in that case developers should not be able to spawn up a VM in production)