LIVE FEED
FIRST LOOK First Look: Token Security Launches AI Agent Identity Governance Platform for Enterprise // FIRST LOOK First Look: GitHub Ships Internal Data Analytics Agent Built on Copilot // HIGH AutoJack Exploit Chain Turns AI Browsing Agent Into Remote Code Execution Vector // FIRST LOOK First Look: Delphi Powers Kē App's AI Celebrity Clone for Wellness Coaching // FIRST LOOK First Look: AWS SageMaker Ships 100+ Detailed Inference Metrics with CloudWatch Insights … // FIRST LOOK First Look: AWS Launches Amazon Bedrock AgentCore Harness for Production-Grade Agents // HIGH AutoJack Exploit Chain Achieves RCE via AI Agent Browsing Local MCP Socket // HIGH Orphaned AI Agents Retain Privileged Access After Employee Departures // FIRST LOOK First Look: Anthropic Mythos 5 Export Block Exposes AI Supply Chain Dependency Risk // FIRST LOOK First Look: AWS Launches Amazon Quick Autonomous Agents with Continuous Background … //
ATLAS OWASP HIGH Significant risk · Prioritise patching Agentic AI LLM Security Prompt Injection Supply Chain Research RELEVANCE ▲ 9.1

AutoJack Exploit Chain Turns AI Browsing Agent Into Remote Code Execution Vector

SOURCE The Hacker News ↗
TL;DR HIGH
  • What happened: A malicious web page can hijack an AutoGen Studio AI agent to execute arbitrary host commands with no authentication.
  • Who's at risk: Developers who installed AutoGen Studio pre-release builds 0.4.3.dev1 or 0.4.3.dev2 and run browsing agents on the same machine.
  • Act now: Immediately audit installed AutoGen Studio versions and remove any 0.4.3.dev1 or 0.4.3.dev2 pre-release builds · Pin to stable release 0.4.2.2 or pull the hardened code from GitHub main at commit b047730 · Never expose MCP WebSocket endpoints without authentication and apply strict command allowlists for any agent-facing local services
AutoJack Exploit Chain Turns AI Browsing Agent Into Remote Code Execution Vector

Overview

Microsoft Research has detailed AutoJack, an exploit chain that weaponises an AI browsing agent into a remote code execution (RCE) delivery mechanism. A single attacker-controlled web page, when loaded by an AutoGen Studio agent running locally, can spawn an arbitrary process on the host machine — no credentials, no user interaction, and no further steps required after the agent navigates to the URL. The attack vector can be triggered via a planted link, a URL field, or a prompt injection targeting the agent’s task queue.

The vulnerability resides in AutoGen Studio 0.4.3.dev1 and 0.4.3.dev2, two pre-release PyPI builds that shipped a Model Context Protocol (MCP) WebSocket handler absent from the stable 0.4.2.2 release. Both builds remain available on PyPI and have not been yanked.

Technical Analysis

AutoJack chains three distinct weaknesses in the MCP WebSocket implementation:

  1. Localhost trust bypass: The WebSocket handler trusted connections originating from localhost as inherently safe — a reasonable assumption for a standard browser, but fatally flawed when the client is a browsing agent running on the same host. Any page loaded by the agent inherits localhost identity automatically.

  2. Authentication middleware gap: The configured auth middleware unconditionally skipped MCP routes, deferring token verification to the handler itself. The handler never performed that verification, meaning all connections were accepted regardless of configured auth mode.

  3. Unsanitised command execution: The MCP endpoint read an executable command directly from a request parameter and ran it without any allowlist or validation. There was no restriction on which binary could be invoked.

Chained together, these three weaknesses allow a web page served from the open internet to issue an unauthenticated WebSocket request to the local AutoGen Studio MCP endpoint, supply an arbitrary command string, and have it executed under the account running the studio process.

The proof-of-concept scenario used a “Web Content Summarizer” agent: when directed to an attacker URL, the page’s JavaScript opened a WebSocket to the local MCP handler and issued a command that spawned calc.exe on the developer’s desktop.

The fix, landed in commit b047730 (PR #7362) on GitHub main, eliminates direct command parameters from requests. Commands are now stored server-side and referenced via a one-time session ID, breaking the injection path.

Framework Mapping

  • AML.T0051 (LLM Prompt Injection): The initial trigger can be a prompt injection that directs the agent to load the malicious URL.
  • AML.T0047 (ML-Enabled Product or Service): The attack surface is a production-adjacent AI agent framework.
  • LLM08 (Excessive Agency): The agent’s privileged local service access, combined with unrestricted command execution, exemplifies the excessive agency anti-pattern.
  • LLM07 (Insecure Plugin Design): The MCP WebSocket handler is effectively an unauthenticated plugin interface with no input validation.
  • LLM05 (Supply Chain Vulnerabilities): The vulnerable code shipped via PyPI pre-release builds, exposing users who opted into early releases.

Impact Assessment

Microsoft confirmed no exploitation in the wild and characterises this as research. However, the two vulnerable pre-release builds remain on PyPI. Any developer who installed them and runs browsing agents is exposed to host-level RCE from any web page the agent visits. The blast radius extends to CI pipelines, dev machines, and any environment where AutoGen Studio agents operate with network access.

Mitigation & Recommendations

  • Remove pre-release builds: Uninstall autogenstudio==0.4.3.dev1 and autogenstudio==0.4.3.dev2 immediately.
  • Pin to stable: Use pip install autogenstudio==0.4.2.2 or apply the hardened main-branch code from commit b047730.
  • Harden MCP surfaces: Enforce authentication on all MCP WebSocket routes; never defer token validation to downstream handlers.
  • Implement command allowlists: Agent-adjacent local services must restrict executable invocation to a pre-approved set.
  • Treat agent-rendered content as untrusted: Apply the same threat model to agent-loaded pages as to attacker-controlled input.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.