As far as I can tell - most of the consumer models would not be vulnerable if you don't fiddle with the default firewall rules. If you're working with the high end models then you should know that multiple layers of security are needed to keep you safe on the big bad Internet.
Firewall all management ports (winbox, ssh, etc). Disable any ports that you don't use - like the API. And lastly - only mange via a VPN from outside the network.