Full Report
Microsoft researchers have detailed an exploit chain, named AutoJack, that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page, and that page's JavaScript can reach a privileged local service on the same machine and spawn a process on the host. No credentials, no sign-in screen, and no further user interaction once
Analysis Summary
This summary provides a technical breakdown of the "AutoJack" exploit chain as detailed in the provided researchers' report.
# Vulnerability: AutoJack Exploit Chain in AutoGen Studio
## CVE Details
* **CVE ID:** Not explicitly assigned in the provided text (Research stage).
* **CVSS Score:** N/A (Estimated Critical/High based on unauthenticated RCE).
* **CWE:**
* CWE-78: OS Command Injection
* CWE-287: Improper Authentication
* CWE-918: Server-Side Request Forgery (SSRF) / Cross-Site Request Forgery (CSRF) on local services.
## Affected Systems
* **Products:** Microsoft AutoGen Studio (open-source prototyping interface).
* **Versions:** Pre-release builds `0.4.3.dev1` and `0.4.3.dev2`.
* *Note: Stable release 0.4.2.2 is not affected.*
* **Configurations:** Systems where an AI browsing agent is running locally alongside a vulnerable AutoGen Studio developer instance.
## Vulnerability Description
AutoJack is a multi-step exploit chain targeting the Model Context Protocol (MCP) WebSocket handler. The vulnerability stems from three primary failures:
1. **Identity Misplaced Trust:** The WebSocket endpoint trusted all traffic from `localhost`. While this blocks external browsers, an AI agent running on the host machine is recognized as `localhost`, allowing it to bypass cross-origin protections.
2. **Broken Authentication:** Authentication middleware skipped MCP paths under the false assumption that the handler would validate tokens; however, no validation occurred.
3. **Command Injection:** The endpoint accepted executable commands directly from request parameters without an allowlist, executing them under the privileges of the AutoGen Studio process.
## Exploitation
* **Status:** PoC available (demonstrated by researchers); no known exploitation in the wild.
* **Complexity:** Low (requires steering an agent to a malicious URL).
* **Attack Vector:** Network (Remote attacker lures a local AI agent to a malicious site).
## Impact
* **Confidentiality:** High (Full host access).
* **Integrity:** High (Ability to execute arbitrary commands/modify files).
* **Availability:** High (Potential for system-wide disruption or deletion).
## Remediation
### Patches
* **GitHub Main Branch:** Hardening is available in commit `b047730` (PR #7362).
* **Stable Version:** Users should remain on or downgrade to stable version `0.4.2.2` until a new formal PyPI release incorporates the fix.
### Workarounds
* **Avoid Pre-releases:** Do not use `--pre` flags or pin to the `0.4.3.dev` series in production or internet-connected environments.
* **Network Isolation:** Run AI browsing agents in isolated containers or sandboxes that cannot reach the host’s loopback interface (`127.0.0.1`).
## Detection
* **Indicators of Compromise:** Unexpected child processes spawned by the `autogenstudio` process (e.g., `calc.exe`, `cmd.exe`, `/bin/sh`).
* **Detection Methods:** Monitor network logs for unusual WebSocket connections to the AutoGen Studio port from local AI agent processes. Review system process trees for suspicious executable execution originating from Python-based AI frameworks.
## References
* Microsoft Security Blog: [https://www.microsoft[.]com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/]
* GitHub Commit: [https://github[.]com/microsoft/autogen/commit/b0477309d2a0baf489aa256646e41e513ab3bfe8]
* The Hacker News: [https://thehackernews[.]com/2026/06/autojack-attack-lets-one-web-page.html]