A recent analysis by Microsoft researchers has unveiled an exploit chain known as AutoJack, which enables an AI browsing agent to serve as a conduit for remote code execution. By directing the agent to load a malicious web page, an attacker can execute commands on the host machine without requiring user credentials or additional interaction after the page is loaded.
Details of the Vulnerability
The vulnerability is rooted in AutoGen Studio, an open-source prototyping interface associated with Microsoft’s AutoGen multi-agent framework. The issue is not universally applicable to all installations of the package. A standard installation via pip install autogenstudio retrieves the stable release version 0.4.2.2, which does not include the vulnerable Model Context Protocol (MCP) route. However, two pre-release versions, 0.4.3.dev1 and 0.4.3.dev2, do contain this flaw.
Mechanics of the AutoJack Attack
The AutoJack exploit takes advantage of three weaknesses in the MCP WebSocket. First, the socket trusts localhost, which is intended to prevent a typical browser from accessing malicious sites. However, since the browsing agent operates on the same machine, it is treated as localhost, allowing it to bypass this check. Second, the authentication middleware neglects MCP paths, assuming that the handler would authenticate requests, which it does not. Finally, the endpoint executes commands directly from request parameters without any restrictions on which commands can be run.
Current Status and Mitigations
Microsoft has characterized this finding as research rather than an active exploitation campaign, reporting no known instances of the vulnerability being exploited in the wild. A proof of concept demonstrated that an attacker could use a Web Content Summarizer agent to execute commands like calc.exe on the developer’s desktop. The issue has been documented with the Microsoft Security Response Center, and the main branch has been hardened in commit b047730.
Recommended Actions for Users
For users who have installed the stable version (0.4.2.2), there is no immediate risk as it does not contain the vulnerable MCP route. However, those who have installed the pre-release versions should migrate to the fixed code available on GitHub after commit b047730, as no patched version is currently available on PyPI. Until an official release is made, users are advised to avoid running AutoGen Studio on the same machine as any browsing or code-execution agents that may interact with untrusted content. If necessary, these components should be isolated in separate containers or virtual machines, and AutoGen Studio should be executed under a low-privilege account.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
