This could be caused by multiple things, all filtering enabled does is makes all client side changes stay client side. (eg: if someone changes a value, it will only change for them and not the server)
However, exploiters can still fire events from their client to the server that are unsecure. If you are firing an important remote event such as giving a player a certain amount of cash or a tool, do not send any info from the client as this can be altered by the exploiter.
In your situation the only thing I can think of is a backdoor in an admin script.
There is a better post explaining FE here: Exploiting Explained