Unsurprisingly, the summary and TFA get it wrong. The vulnerability is not in devices. "Messaging Agent" and "MDS Connection Service" are server side components - the vulnerability is there, and not on the phone.
The phone can trigger them because web browsing on a BES-connected device goes through the MDS connection service, so a properly crafted web page can compromise the the MDS service on the server.
Similarly, sending an email will get routed through messaging agent - which is why a crafted email can trigger this without the email being opened on the client device.