Microsoft warns AI agents are being 'AutoJack'-ed to deliver RCE payloads by browsing untrusted websites

Microsoft’s Defender Security Research Team discloses “AutoJack,” a vulnerability chain in AutoGen Studio enabling RCE via malicious websites

Flaws included localhost channel misuse, skipped login checks, and arbitrary code execution, letting agents run attacker‑supplied programs

Issue existed only in early GitHub builds, fixed before release; highlights need for strict authentication and isolation of local control planes

Microsoft's Defender Security Research Team has disclosed a vulnerability chain in AutoGen Studio that lets a single malicious website achieve remote code execution (RCE) on a device running an AI agent.

AutoGen Studio is a program built by Microsoft Research for developing AI agents. The vulnerability chain was dubbed “AutoJack”, and it consists of three flaws which, when looked at separately, aren’t particularly troubling. Chained together, however, is a whole different story.

“The technique, which we call AutoJack, jacks the agent into becoming the attacker’s last-mile delivery vehicle by crossing the localhost trust boundary that many developer tools rely on,” Microsoft explained in its report.

Patching the bugs

First, AutoGen Studio had a local control channel that only accepted connections from “localhost”, which is a good way to block outside attackers.

However, an AI agent's web browser also counts as “localhost”, meaning these connections would get accepted, too. Then, for this particular channel, login checks were skipped.

The app had several ways to require a username and password, but the part of the code handling this specific local channel was left wide open.

Finally, the channel would run almost anything it was told to run. Microsoft’s researchers managed to get an arbitrary program running, meaning threat actors could do the same, albeit with malicious code, instead.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In theory, the attack would work like this: the victim would instruct their AI agent to summarize a specific website. By doing so, the agent would be told to download and run malicious code which could be anything from backdoor malware to infostealers.

The good news is that Microsoft found this issue and reported it before the bug ever reached regular users. The official downloadable version of AutoGen Studio never had this problem, since it only existed in an early, in-development version on GitHub. The AutoGen team managed to fix it since then.

“If an agent can browse untrusted pages and also talk to privileged local services, loopback can become an attack surface and control planes must be authenticated, authorized, and isolated,” Microsoft concluded.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.