Patch Tuesday : Security Updates for SQL Server 2012, 2014, 2016
Security updates were released today to patch a remote code execution vulnerability in Reporting Services, affecting the following versions (there are both GDR and CU versions available). See the appropriate "latest builds" post for more info and links to KB articles:
While it looks like this is isolated to Reporting Services, the patch touches a lot of files, and updates the engine version, which leads me to believe the vulnerability is currently exploited via SSRS, but the underlying problem has deeper roots. The fact that they provided GDR fixes and for versions that are no longer in mainstream support suggest that it is a high priority fix.
So, if you're wondering whether you should deploy this to instances where you currently don't use SSRS, I would say, yes, please install the patch anyway.