Exploiters can do “anything”, but most of them won’t actually replicate to the server. Exploiters (without server-side access like backdoors) can only access parts that they have network-ownership on, read the code of LocalScripts and ModuleScripts (only ModuleScripts that are visible to the client), access RemoteEvents and RemoteFunctions, and access global arrays (like _G and shared).
For an exploiter to actually have direct access to the server, is with backdoors (it could be anything! fake plugins, models, scripts, etc.) or access to your account.