So from an adversary perspective, remote code execution takes priority and let's patch them first. Among those RCEs, let's give more priority for the ones which are public facing.
- Microsoft Exchange Remote Code Execution Vulnerabilities - CVE-2020-17144, CVE-2020-17141, CVE-2020-17117, CVE-2020-17132 and CVE-2020-17142
- Microsoft SharePoint Remote Code Execution Vulnerabilities - CVE 2020 17118, CVE-2020-17121
One important point here is that most of the vulns above were reported by external researchers and some of them have a track record of disclosing the write-up or releasing PoC after sometime. Also, Microsoft has indicated most of the above will be exploited as per their exploitability assessment.
Up next, we have DNS spoofing vulnerability dubbed as SAD DNS (SAD - side channel attacked :)
Interestingly, this one doesn't have a CVE by Microsoft and released Security Advisory (ADV200013) instead. Researchers have published proof-of-concept YouTube video demonstrating exploitation.