{"id":8538,"date":"2026-06-19T08:41:49","date_gmt":"2026-06-19T08:41:49","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8538"},"modified":"2026-06-19T08:41:49","modified_gmt":"2026-06-19T08:41:49","slug":"microsoft-says-web-enabled-ai-agents-can-trigger-host-level-rce","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8538","title":{"rendered":"Microsoft says web-enabled AI agents can trigger host-level RCE"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft is warning of a novel remote code execution (RCE) path possible through web-enabled AI agents, demonstrating the technique against AutoGen Studio, its open-source interface for building and testing multi-agent applications.<\/p>\n<p>The demonstration showed that a malicious webpage rendered by an AutoGen-powered browsing agent could reach a local Model Context Protocol (<a href=\"https:\/\/www.csoonline.com\/article\/4087656\/what-cisos-need-to-know-about-new-tools-for-securing-mcp-servers.html\" target=\"_blank\" rel=\"noopener\">MCP<\/a>) service and run arbitrary processes on the host machine.<\/p>\n<p>Microsoft researchers dubbed the technique \u201cAutoJack\u201d because it effectively hijacks a web-accessing AI agent and abuses its trusted local access to bypass localhost security boundaries. The attack chains together three separate weaknesses in AutoGen <a href=\"https:\/\/microsoft.github.io\/autogen\/dev\/user-guide\/autogenstudio-user-guide\/index.html\">Studio<\/a>\u2019s MCP WebSocket implementation, though Microsoft said the problem extends beyond AutoGen and could affect a broader class of agentic frameworks.<\/p>\n<p>\u201cWhen an agent on your core server or laptop can browse the open web and communicate with privileged local services, localhost stops being a trust boundary,\u201d it said in a blog <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/18\/autojack-single-page-rce-host-running-ai-agent\/\" target=\"_blank\" rel=\"noopener\">post<\/a>.<\/p>\n<p>The findings were internally reported to Microsoft Security Response Center (MSRC), and the affected AutoGen Studio code was reportedly fixed before reaching a public PyPI release.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Three flaws chained into RCE<\/h2>\n<p>The AutoJack attack combined three separate weaknesses in AutoGen Studio\u2019s MCP WebSocket implementation.<\/p>\n<p>The first involved an origin allowlist designed to accept connections only from localhost. Under normal conditions, this protection would block a browser visiting a malicious external website. However, Microsoft found that a browsing agent running locally inherits the localhost identity, allowing attacker-controlled JavaScript rendered by the agent to satisfy the origin check.<\/p>\n<p>The second issue stemmed from the authentication logic. AutoGen Studio\u2019s authentication process excluded MCP WebSocket paths from normal authentication checks, assuming those endpoints would implement their own controls. According to Microsoft, the MCP route never enforced those additional checks, leaving the interface accessible without authentication regardless of the configured authentication mode.<\/p>\n<p>The third was the most dangerous of the issues. The MCP endpoint accepted a \u201cserver_params\u201d value supplied through URL, decoded it, and passed the resulting command and arguments directly to the process-spawning mechanism used for MCP servers. Because no allowlist restricted which executables could be launched, attackers could specify arbitrary commands such as PowerShell, Bash, or other binaries.<\/p>\n<p>Microsoft said chaining these weaknesses allowed a webpage to trigger arbitrary process execution on the machine hosting AutoGen Studio without additional user interaction beyond getting the agent to render the page.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>The threat never touched production<\/h2>\n<p>Microsoft said that the vulnerable code existed only in development builds that included MCP support and was never shipped through the current PyPI release. This means that users who installed AutoGen Studio through PyPI were never exposed to AutoJack.<\/p>\n<p>For those installing AutoGen Studio from source, the maintainers subsequently removed URL-based parameter injection, routed MCP paths through normal authentication flows, and implemented server-side parameter handling keyed to session identifiers.<\/p>\n<p>Beyond the specific bugs, Microsoft argues that AutoJack illustrates a pattern across agent frameworks. \u201cThe general guidance still applies because the pattern (an agent on the box reaching localhost services) is broader than this one bug,\u201d it said. <\/p>\n<p>AutoJack was a result of\u00a0 Microsoft\u2019s active research into how traditional software risks change when AI models connect to tools, browsers, code interpreters, and local services. The findings come as Microsoft doubles down on agentic AI initiatives across its product portfolio, <a href=\"https:\/\/www.csoonline.com\/article\/4180467\/microsoft-wants-to-put-ai-agents-on-a-short-leash.html\">expanding<\/a> its investments in agent governance, containment, and autonomous security systems.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft is warning of a novel remote code execution (RCE) path possible through web-enabled AI agents, demonstrating the technique against AutoGen Studio, its open-source interface for building and testing multi-agent applications. The demonstration showed that a malicious webpage rendered by an AutoGen-powered browsing agent could reach a local Model Context Protocol (MCP) service and run [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8539,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8538","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8538"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8538"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8538\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8539"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}