Do you have input rules?
Why allow any access to the router from the various lans?
With few exceptions, I would block all but your management subnet or management port access to the router on the lan side.
add chain=input action=accept connection-state=established
add chain=input action=accept connection-state=related
add chain=input action=accept in-interface=<management interface> src-address=<management subnet>
add chain=input action=drop
Use safe mode when doing this to ensure you don't lock yourself out.
The third rule will allow mac Winbox if src-address matches.
If you need remote access add a fourth rule before the drop:
add chain=input action=accept in-interface=<gateway interface> src-address-list=<Public IP List>
Then make an address list with the few publics that need to access the router from the public wan. Use care with this.