AutoJack Vulnerability in Microsoft AutoGen Studio Enables Remote Code Execution via Malicious Webpage
What Happened — A chain of three weaknesses in Microsoft’s AutoGen Studio interface (dubbed “AutoJack”) allowed a malicious web page to trick a locally‑running AI agent into opening a WebSocket to the MCP endpoint, bypass authentication, and execute arbitrary PowerShell or Bash commands on the developer’s machine. The flaw was patched before any PyPI release, limiting exposure to developers who built the tool from the main GitHub branch during a brief window.
Why It Matters for Compliance & Audit Readiness
- The scenario illustrates a classic control‑gap: unauthenticated local services that trust “localhost” traffic, a condition SOC 2 CC6.1 (System Operations) and CC7.1 (Change Management) expect to be mitigated and continuously monitored.
- Continuous‑compliance programs must map such misconfigurations to evidence‑collection pipelines so auditors can see that authentication, network segmentation, and code‑signing controls are enforced in development environments.
- Leveraging Verisq’s Control Mapping capability provides an immutable audit trail of remediation steps, configuration baselines, and ongoing verification—exactly the proof points SOC 2 auditors request.
Who Is Affected — AI‑focused development platforms, open‑source tooling ecosystems, and organizations that embed AutoGen Studio in internal prototype pipelines (primarily technology‑SaaS and research teams).
Recommended Actions
- Immediately upgrade to AutoGen Studio 0.4.2.2 or later; verify the package source is the official PyPI release.
- Isolate AutoGen Studio in a sandbox or air‑gapped VM; enforce network‑level segmentation so no inbound Internet traffic can reach the local MCP WebSocket.
- Harden the MCP endpoint: require mutual TLS, enforce authentication on all
/api/mcp/*routes, and reject connections that originate from non‑trusted origins. - Document the remediation in your SOC 2 control inventory and capture configuration snapshots as continuous audit evidence.
Technical Notes
- Attack vector: exploitation of a localhost‑trusted WebSocket combined with missing authentication and unsafe parameter handling (base64‑encoded
server_params). - Impact: arbitrary command execution with the privileges of the developer’s account; demonstrated by launching Windows Calculator.
- Mitigation: Microsoft removed the vulnerable code before any public release; the current PyPI package is clean.
- References: BleepingComputer article – https://www.bleepingcomputer.com/news/security/microsoft-fixes-autogen-studio-flaw-that-enabled-code-execution/