Disclosure: Supervisor security vulnerability

Are instances behind a firewall (no port forwarding), connected via the nabu casa cloud also vulnerable?