Re: Exchange 2013
Unless you are running a supported CU you won't get any security updates even if the product is affected. These are the last CU for versions in Extended support (CU 23 for Exchange 2013) or the current or current -1 for versions in mainstream support (16 and 17 for Exchange 2016, 5 and 6 for 2019).
Short answer, yes you are probably vulnerable and will need to update to a supported CU then apply the hotfix. They only list supported CUs on the CVE.
Also, 2016 goes into extended support in October. The last planned CU for 2016 will be released in December. This will be the only supported CU from that point.
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-2016-and-the-end-of-mainstream-support/ba-p/1574110