Unfortunately, the default action on the chains of the firewall when there are no matching rules is to accept the packets. With your firewall filter table being completely empty on the input chain, the services running on your router are currently completely exposed to the internet. If you started from a blank configuration, these services are fully accessible to attackers on the internet:
Yes, even telnet. And with WebFig (the www service) open on port TCP 80, you are vulnerable to this currently unpatched buffer-overflow CVE that requires no authentication: Cve-2025-10948 - RouterOS / General - MikroTik community forum!
Also, your hEX refresh router's routing performance will greatly improve if you can make use of Fasttrack. Fasttrack requires one specific firewall rule on the forward chain, which you also don't have.
If possible, please apply the MikroTik's defconf firewall rules immediately, that you can find here (use the rules from the RouterOS 7.18's section of that post, don't forget to populate the interface lists first).
A similar configuration with a bit more explanations is available in the official documentation: Building Advanced Firewall - RouterOS - MikroTik Documentation.
You can also learn more about the default configuration that comes with your hEX refresh (that you've unwisely erased) from this @tangent's article MikroTik Solutions: Default Router Configuration.