Disclosed today at @Disobey_fi - psexec from #impacket expose the target system for authenticated command execution as SYSTEM. That means any user that can authenticate over the network (usually Domain Users) can run code as SYSTEM over the network.
@Disobey_fi If your psexec session is disrupted before clean-up, the service remains and will expose the target until it is restarted.
The vulnerable code is in RemComSvc, setting an empty DACL on the pipe.