AutoJack: RCE Vulnerability in Microsoft AutoGen Studio Threatens Local AI Agents
AutoJack: RCE Vulnerability in Microsoft AutoGen Studio Threatens Local AI Agents
Summary
A newly disclosed exploit chain named “AutoJack” demonstrates how a single malicious webpage loaded by a local browsing AI agent can lead to unauthorized Remote Code Execution (RCE) on the host machine. The vulnerability resides in the Model Context Protocol (MCP) WebSocket route of Microsoft’s AutoGen Studio pre-release builds. By leveraging missing authentication on local WebSocket ports, external attackers can execute commands directly on the host system. Microsoft has since patched the vulnerability.
What happened
Microsoft’s Threat Intelligence team published details of AutoJack, showing that local browser-enabled AI agents running AutoGen Studio dev builds 0.4.3.dev1 and 0.4.3.dev2 are vulnerable. The exploit combines localhost trust, skipped authentication on MCP routes, and unvalidated parameter execution. When a browsing agent visits a page containing malicious JavaScript, that script can establish a connection to the local WebSocket server and trigger arbitrary tools or commands without authentication.
Why it matters
Local AI agents are increasingly given extensive system privileges to manage files, run tests, and browse the web. However, their web-browsing capabilities open a dangerous gateway. Since developer tools often assume that any traffic originating from localhost is trusted, they lack proper security boundaries. AutoJack demonstrates that the paradigm of “localhost trust” is broken when web-enabled AI agents can be manipulated into sending requests to local ports.
Evidence
Microsoft’s threat research team successfully demonstrated the exploit, proving that loading a single prepared webpage triggers the host-level RCE. The vulnerability was patched in AutoGen’s main branch at commit b047730 via Pull Request #7362. Cybersecurity outlets, including The Hacker News and CSO Online, have confirmed the severity of the threat.
Analysis
The core issue in AutoJack stems from the design of the Model Context Protocol (MCP) WebSocket endpoint in the affected AutoGen Studio developer builds. The WebSocket server listened on localhost without enforcing any authentication token. When the AI agent browses and renders a webpage containing malicious payload code, the code executes in the agent’s browser context and makes a local WebSocket connection. Because the endpoint did not verify the caller’s identity, the attacker could issue commands that the MCP server executed on the host OS.
Practical Takeaways
Organizations and developers utilizing local AI agent frameworks should take the following steps:
- Apply Patches immediately: Update AutoGen Studio to a stable version containing the fix from PR #7362.
- Avoid Pre-releases: Do not run development builds like
0.4.3.dev1or0.4.3.dev2in production or sensitive environments. - Isolate Browsing Agents: Run agents that interact with external web pages inside sandboxed containers or virtual machines with restricted permissions.
- Implement Port Isolation: Enforce browser security policies that block web pages from initiating connections to local ports.
Open Questions
- Are other local agent frameworks implementing MCP WebSocket connections on localhost susceptible to similar hijacking vectors?
- How can AI agent architectures be redesigned to ensure web-browsing activities are completely decoupled from local control ports?
Sources
- Microsoft Security Blog: AutoJack: How a single page can RCE the host running your AI agent
- The Hacker News: AutoJack Attack Lets One Web Page RCE Your AI Agent Host
- GitHub: AutoGen Pull Request #7362
- LinkedIn: Microsoft Threat Intelligence Update
- X / Twitter: TechRadar Security Alert
- CSO Online: Web-enabled AI agents can trigger host-level RCE
- All About Security: AutoJack RCE-Lücke in AutoGen Studio