Is the concern valid that similar “malicious commands” can be issued to ROS via the hotspot service? I don’t believe it is, but it will be good to get an answer from MT why similar commands will not be a threat to ROS.
Can those be exploited? Maybe. Only a code review would show. But the parameters that CAN be passed in are fairly harmless. The links you posted focus on exploits of a full administrative interface to the routers in question, which the Hotspot servlets don’t provide. From that list the Hotspot servlets wouldn’t need any write capabilities to anything administrative outside of themselves. A slightly bigger worry might be RADIUS attributes passed back on login that cause the creation of queues etc.
Those exploits are based on a parsing error with DD-WRT. The web service does not escape data prior to parsing, so the CGI-bin folder will blindly accept shell commands as long as you prepend a ; before it. RouterOS does not use this CGI-bin system. Also, all the web-based administrative functions for webmin are encoded and passed as parameters through Jproxy, which properly checks for user credentials prior to parsing anything.
Mikrotik did a very nice job in hardening their web-interface. As long as web service is disabled, you should be just fine.