AutoJack Exploit Chains MCP Flaws for RCE in AutoGen

Microsoft and security researchers have disclosed and patched a critical vulnerability chain in AutoGen Studio dubbed AutoJack. The flaw allows a malicious webpage to execute arbitrary code on a host system if an AI browsing agent running on that system visits the page.

Identified by Microsoft’s Defender Security Research Team, the exploit targets the Model Context Protocol (MCP) WebSocket implementation. Because these agents routinely bridge untrusted external web environments and local system tools, the vulnerability essentially turns the agent into a proxy for remote code execution.

The Attack Chain

AutoJack relies on chaining three distinct weaknesses in the pre-release builds of AutoGen Studio. The first is a Localhost Trust Abuse (CWE-1385). The Model Context Protocol WebSocket was configured to trust connections from localhost. Because a locally running AI agent, such as the MultimodalWebSurfer, counts as localhost, any JavaScript on a visited malicious page inherits the agent’s trusted identity, bypassing standard origin protections.

Second, the architecture lacked proper authentication routing (CWE-306). AutoGen Studio’s middleware intentionally skipped routes starting with /api/mcp/*, operating under the assumption that the WebSocket handler would manage its own checks. The MCP handler failed to implement these checks, exposing the endpoint even when developer-configured security measures like MSAL or Firebase were active.

Finally, the setup contained a Command Injection vulnerability (CWE-78). The WebSocket accepted a base64-encoded server_params value directly from the URL. This payload passed to the process-launching code without validation, allowing attackers to inject and execute arbitrary PowerShell or Bash commands.

Scope and Remediation

Researchers demonstrated the exploit using a “Web Content Summarizer” agent. Upon visiting a maliciously crafted URL, the agent was forced to launch calc.exe on the developer’s desktop within seconds.

The vulnerability primarily affected pre-release builds, specifically versions 0.4.3.dev1 and 0.4.3.dev2. The stable release 0.4.2.2 remains unaffected because it does not include the experimental MCP route.

Microsoft patched the flaw in the GitHub repository at commit b047730, which rolls into version 0.7.2. The remediation hardens the code by moving server_params to server-side UUID-keyed storage. All MCP routes are now required to pass through the standard authentication pipeline.

If you build agentic workflows that interact with the web, you must treat the agent environment with the same security scrutiny as a cloud control plane. Implement strict boundary validations in your AI testing environments and host systems, and never implicitly trust local agent processes to sanitize external web inputs.