Sure, but other than running this thing on a big 80x86 machine, with Centos, NGINX or Apache, with regular patches, one has to assume that - by installation - it isn't going to be open to the chinese and russians
There is a username+pwd login anyway, plus an optional client IP requirement which you can set to e.g. the VPN terminator of your remote access facility. Again, the username and password could be overloaded (the 20-char limit is implemented at the client) and then it is a matter of how solid LWIP is at dealing with oversize packets. I would think it chucks them out; it's an obvious thing.
You get this debate with all embedded systems. There could be a vulnerability at the low level ETH part, where a dedicated DMA controller is transferring incoming packets to a chain of buffers. One should limit the DMA transfer count to the MTU but you never know...
There is no support on low level STM 32F4 ETH, same with LWIP, same with FatFS. Well, there are forums and mailing lists, full of posts from variously desperate people, and almost nobody answering. How big is ST? 12.7BN annual sales, no support forum presence, and there is just one guy who knows anything (quite a lot actually) who is not even working for ST and occassionally posts something and only after telling you that you are a complete m0ron who cannot read. Welcome to the world of embedded "open source" software
This is why "IOT" can't be on an open port (already widely debated).
I supervised a project (Centos etc as above) which does data validation at the client (JS) and does it all again at the server. It is about 3x more work but you have to it; it is a public site.
This is basically an industrial control product but with lots of applications outside. Probably the biggest attack vector is pure vandalism via an inside job, possibly aided by somebody leaking the WIFI pwd and then somebody getting in from a car parked outside. That vector would be the same even if this product was totally secure.