Don't Need an Exploit if You Have the Password
This sounds like a further development of techniques used earlier. You don't need to find an exploit in a server if you have the admin passwords. Instead, you target the administrator's desktop PC in a watering hole attack with an off the shelf Windows virus, or use phishing, or social engineering to get the passwords. Or you just use a botnet to brute force the passwords and look for servers with weak passwords. In fact, it might be better if the server has no vulnerabilities, because then the admin probably won't spend as much time looking for suspicious activity.
You don't have to crack any specific server. You just need to find *a* server where you can get in. So you just go around "rattling the doorknobs" looking for an easy target. The more people who have some sort of legitimate access to a server, the more likely it is that someone is going to slip up and let their passwords get loose.