An easy to use exploit, have been discovered for Exchange 2010, 2013, 2016 and 2019, patch now.
If you have a login for a normal user, you can execute code on the server as “SYSTEM” account through Exchange Control Panel (ECP)!:
Read more and see video:
Microsoft patch:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688