Forensic Summary
A three-flaw vulnerability chain dubbed AutoJack in Microsoft's AutoGen Studio allowed attackers to execute arbitrary commands on a developer's host system by manipulating a browsing AI agent into connecting to a malicious webpage. The attack exploited missing authentication on MCP WebSocket routes combined with unsanitised base64-encoded parameters to launch arbitrary processes. Microsoft confirmed the flaw was patched before any PyPI release, limiting exposure to developers building directly from the main GitHub branch.
Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/autojack-vulnerability-chain-enabled-remote-code-execution-via-ai-agent/
Top comments (0)