AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution

Microsoft Researchers Expose Critical Exploit Chain in AI Browsing Agent

Microsoft researchers have unveiled an exploit chain, termed “AutoJack,” which abuses the functionality of an AI browsing agent to achieve remote code execution (RCE) without requiring any authentic credentials or further user interaction once the targeted agent has loaded an attacker’s web page. This exploit targets AutoGen Studio, an open-source prototype interface for Microsoft’s AutoGen multi-agent framework. The core problem lies in the Model Context Protocol (MCP) WebSocket, which incorrectly trusts local host traffic and does not authenticate incoming connections or verify which endpoints can execute commands. Two pre-release versions of the framework harbored this vulnerability, which has since been mitigated in the main repository but is not yet available in any PyPI releases. Microsoft emphasized this issue is academic and no active exploitation has been reported. Users who installed vulnerable pre-releases are urged to pull the updated code from GitHub to secure their installations. To prevent future attacks, Microsoft advises keeping browsing and code-execution agents—or any local service interacting with untrusted content—on separate machines or isolating them within virtualized environments.

Key Points:

Microsoft details an exploit chain called AutoJack that can remotely execute code by manipulating an AI browsing agent.
The flaw resides in AutoGen Studio’s MCP WebSocket but historically only affected two pre-release versions; the stable release remains unaffected.
The vulnerability involves exploiting improper authentication and privilege handling in the local service.
A patched version is available in the GitHub repository but not in official PyPI releases yet.
Users are advised to isolate or run the affected service under a low-privilege account to mitigate risks until an official patched version is released.