CVE-2025-50740

The AutoConnect library version 1.4.2 for Arduino contains a cross-site scripting (XSS) vulnerability in its web-based configuration interface. The /_ac/config page displays available Wi-Fi networks and does not properly sanitize the SSID field before rendering it in HTML [1]. An attacker can create a rogue Wi-Fi access point with a malicious SSID containing HTML/JavaScript code, such as ``. When a user accesses the configuration page, the device scans for networks and populates the list, causing the attacker's script to execute in the user's browser [2].

Exploitation requires the attacker to be in Wi-Fi range of the target device. No authentication is needed to access the /_ac/config page, which is intended for device configuration. The attacker sets up a Wi-Fi hotspot with a crafted SSID; any user who opens the configuration page while the rogue network is visible will trigger the script [2]. The script can be crafted to perform further actions like stealing session cookies or redirecting to malicious sites.

Successful exploitation allows an adjacent attacker to execute arbitrary JavaScript in the context of the AutoConnect web interface. This can lead to credential theft, session hijacking, or manipulation of the device's Wi-Fi configuration, potentially forcing the device to connect to an attacker-controlled network [2]. The impact is limited to the browser session but can affect subsequent device interactions.

The vendor has not yet released a patched version, but the recommended remediation is to HTML-encode all SSIDs containing special characters before rendering them in the web interface [2]. Users should avoid opening the configuration page in the presence of untrusted Wi-Fi networks until a fix is applied.