To be attacked it first has to be accessible. Most MCU applications have no interface that can be reached remotely. Most also have ROM based code which cannot be changed without physically attaching a programming device. Of the remainder, if it has a self-write facility or externally accessible program memory it is theoretically possible to change it remotely but good software should then verify the integrity of the connection and prevent unauthorized changes.
Brian.