Microsoft already released a security update for Exchange 2013 and Exchange 2016 on 12.12.17. This is not the quarterly CU, but a fix for a vulnerability in Outlook Web Access (OWA).
The CVE for the vulnerability can be found here:
The update has the level "Important". Microsoft describes the vulnerability as follows:
This security update resolves a vulnerability in Microsoft Exchange Outlook Web Access (OWA). The vulnerability could allow elevation of privilege or spoofing in Microsoft Exchange Server if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.
The updates can be downloaded here:
- Security Update For Exchange Server 2016 CU7 (KB4045655)
- Security Update For Exchange Server 2016 CU6 (KB4045655)
- Security Update For Exchange Server 2013 CU18 (KB4045655)
- Security Update For Exchange Server 2013 CU17 (KB4045655)
It may happen that the Exchange services remain in the "Disabled" status after the update has been installed, so the services should be checked after the update has been installed.
The quarterly CU should also be published in the next few days.