Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Anthropic to restore Claude Fable access on Wednesday

    June 30, 2026

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»Microsoft fixes AutoGen Studio flaw that enabled code execution
    News

    Microsoft fixes AutoGen Studio flaw that enabled code execution

    adminBy adminJune 23, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Microsoft fixes AutoGen Studio flaw that enabled code execution

    A vulnerability chain dubbed AutoJack in Microsoft’s AutoGen Studio interface for prototyping AI agents could let attackers manipulate an agent into executing arbitrary commands on its host system simply by visiting a malicious webpage.

    AutoGen Studio is the graphical component for AutoGen, Microsoft’s open-source framework for building multi-agent AI systems. The framework allows developers to create AI agents that can collaborate with one another, use tools, browse the web, execute code, interact with APIs, and connect to external systems.

    The project is very popular, with more than 59,000 stars and nearly 9,000 forks on GitHub. Microsoft notes that AutoJack’s impact was limited because the issue was addressed during development.

    image

    “This issue was identified and remediated before any PyPI release, so the affected code never shipped in a published package,” Microsoft says.

    “The exposure was limited to developers who built AutoGen Studio from the main GitHub branch during the window between the MCP plugin landing and the hardening commit.’

    AutoJack details

    Microsoft describes the AutoJack attack as being based on three separate weaknesses in AutoGen Studio:

    1. The MCP WebSocket trusts connections originating from localhost, allowing a browsing agent running on the same machine to be tricked into loading attacker-controlled JavaScript that appeared to come from a trusted local source
    2. AutoGen Studio’s authentication middleware excludes /api/mcp/* routes from authentication checks, while the MCP WebSocket endpoint fails to implement its own authentication, leaving it accessible without credentials
    3. The MCP WebSocket accepts a base64-encoded server_params value from the URL and passes it to the process-launching code, allowing attackers to specify and execute arbitrary PowerShell, Bash commands, or executables.
    Origin bypass via the AI agent
    Origin bypass via the AI agent
    Source: Microsoft

    In a realistic attack scenario that Microsoft presented, a malicious JavaScript executes on a page visited by a developer’s AI agent, which opens a WebSocket connection to AutoGen Studio’s local MCP endpoint.

    The payload instructs AutoGen Studio to launch an attacker-chosen command with the privileges of the developer’s account. To demonstrate the effect, Microsoft demonstrated the launch of Windows Calculator.

    AutoJack demo launching Calc.exe
    AutoJack demo launching Calc.exe
    Source: Microsoft

    It should be noted that users installing AutoGen Studio from the Python Package Index (PyPI) were never exposed to the affected code. The latest current package, autogenstudio 0.4.2.2, does not contain the AutoJack weaknesses.

    However, developers building AutoGen directly from GitHub during a limited window before commit b047730 were impacted for a short period.

    Microsoft recommends users who install AutoGen Studio to deploy it “strictly as a developer prototype in an isolated environment” that is not exposed to the internet.

    Furthermore, the maintainer emphasizes that the project should not be run with an agent capable of browsing or executing arbitrary code on a machine with untrusted content.

    “Run AutoGen Studio under a low-privilege account in a sandboxed user profile or container so that any future agent-driven RCE is contained to a dev profile, not your daily-driver account,” advises Microsoft.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleFortiBleed campaign used custom FortiGate sniffer to steal credentials
    Next Article A Glimpse into the “Search Your Target” Market for Stolen Credentials
    admin
    • Website

    Related Posts

    News

    Anthropic to restore Claude Fable access on Wednesday

    June 30, 2026
    News

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026
    News

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Our Picks

    Anthropic to restore Claude Fable access on Wednesday

    June 30, 2026

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.