I can't reproduce that on a 4.2 system.
My firewall ruleset is fairly simple - allow a few services (DNS, DHCP, NTP) from the LAN, allow rate limited ICMP, allow all router access from an address-list populated with IP addresses that get access. Block NetBIOS and a few other ports from being forwarded, and don't forward traffic between customer networks:
[admin@MikroTik] > /ip fire fil pri det
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 ;;; allow established
chain=input action=accept connection-state=established
2 ;;; allow related
chain=input action=accept connection-state=related
3 ;;; allow local service UDP ports from LAN
chain=input action=accept protocol=udp in-interface=!outside dst-port=53,67,123
4 ;;; allow local service TCP ports from LAN
chain=input action=accept protocol=tcp in-interface=!outside dst-port=53
5 ;;; allow rate-limited ICMP
chain=input action=accept protocol=icmp limit=20,20
6 ;;; allow everything from admin networks
chain=input action=accept src-address-list=Administrative_Networks
7 ;;; drop everything else
chain=input action=drop
8 ;;; forward established traffic
chain=forward action=accept connection-state=established
9 ;;; forward related traffic
chain=forward action=accept connection-state=related
10 ;;; drop undesired TCP
chain=forward action=drop protocol=tcp dst-port=135-139,445,1434,4444
11 ;;; drop undesired UDP
chain=forward action=drop protocol=udp dst-port=135-139,445,1434,4444
12 ;;; forward traffic from customer interfaces to WAN (all other networks cannot talk to one another)
chain=forward action=accept out-interface=outside
13 ;;; drop everything else
chain=forward action=drop
That system also runs Hotspots. Using those rules, trying to access the router webpage from a client on the Hotspot network that isn't authenticated redirects me to the Hotspot login page. Once authenticated, I cannot access the router webpage. Once I add the client network to the Administrative_Networks address list, I can load the router webpage. Once I remove the network from the address list again, I cannot access the router anymore.