Microsoft Patches AutoGen Studio Bug Chain That Allowed Arbitrary Command Execution

Microsoft has disclosed and fixed a vulnerability chain dubbed AutoJack that could have allowed AI agents to execute arbitrary commands on a developer’s machine after visiting a malicious webpage.

The issue affected a development version of AutoGen Studio, Microsoft’s low-code interface for building and testing AI agents. Microsoft says the vulnerabilities were patched before any affected code reached a public PyPI release, meaning most users were never exposed.

The company confirmed that users who installed AutoGen Studio from PyPI, including the current autogenstudio 0.4.2.2 release, are not affected. The risk was limited to developers who built AutoGen Studio directly from the project’s GitHub repository during a brief development period before commit b047730.

How AutoJack Worked

Microsoft says AutoJack relied on a chain of three separate weaknesses that, when combined, could allow remote code execution on a developer’s machine.

The vulnerabilities included the MCP WebSocket trusting localhost connections, certain MCP API routes bypassing authentication checks, and the WebSocket accepting URL-provided server parameters that could be passed to process-launching code.

In Microsoft’s example attack scenario, an AI agent with web-browsing capabilities could visit a malicious website. The page could then establish a connection to AutoGen Studio’s local MCP endpoint through a WebSocket connection.

Because of the authentication gaps and trusted localhost behavior, the attacker could potentially instruct AutoGen Studio to launch arbitrary commands using the privileges of the logged-in developer.

The result could be full command execution on the host machine without the developer intentionally approving the action.

Security Recommendations for AutoGen Studio Users

Microsoft recommends treating AutoGen Studio primarily as a development prototype and running it inside isolated environments whenever possible.

Microsoft also cautions against using AutoGen Studio with agents capable of browsing the web or executing arbitrary code on systems exposed to untrusted content.

To reduce potential risks, users should run AutoGen Studio under a low-privilege account or within a sandboxed environment or container, helping to limit the impact of any future agent-driven remote code execution vulnerabilities.

The incident also follows several recent high-profile cybersecurity developments involving AI ecosystems. Microsoft recently attributed the Mastra AI npm supply-chain attack to the North Korean threat group Sapphire Sleet, while researchers have also warned about the emerging Prinz Eugen ransomware operation, which targets businesses and encrypts files without leaving a traditional ransom note.

As AI development platforms become more powerful, security researchers expect greater focus on preventing agent-driven attacks that bridge the gap between web content and local system access.

Via BleepingComputer