AutoJack: Unauthenticated RCE in AI Agents via AutoGen Studio MCP WebSocket

The widespread deployment of autonomous AI agents in 2026 has fundamentally altered the threat landscape for enterprise infrastructure. As organizations increasingly rely on AI models to browse the web and execute local tasks, the traditional security boundary of localhost has collapsed.

Security Arsenal is tracking a critical new attack chain dubbed AutoJack, disclosed by Microsoft Security researchers. This vulnerability demonstrates how a single malicious webpage can compromise the host machine running an AI agent. By exploiting the trust an agent places in local resources and the lack of authentication in local communication channels, attackers can achieve unauthenticated remote code execution (RCE). Defenders must immediately treat autonomous agent environments as untrusted internet-facing endpoints, not safe internal zones.

Technical Analysis

Affected Component: AutoGen Studio (MCP WebSocket Interface)

AutoJack targets the interaction between an AI browsing agent and the host's local services. The attack chain unfolds as follows:

1. Agent Browsing: An AI agent, tasked with gathering data, browses to a malicious webpage controlled by the attacker.
2. Payload Delivery: The webpage does not contain traditional exploit code (e.g., buffer overflows). Instead, it contains semantic instructions or data designed to manipulate the agent's logic.
3. Abuse of Trust: The agent processes this input and attempts to perform actions it believes are legitimate. Specifically, it interacts with the Model Context Protocol (MCP) WebSocket exposed by AutoGen Studio on the host.
4. Unauthenticated Execution: The research indicates that the MCP WebSocket interface on the affected versions of AutoGen Studio lacks robust authentication. Furthermore, parameter handling allows for arbitrary commands to be constructed.
5. Code Execution: The agent relays the malicious payload to the local WebSocket service, which executes the command on the host operating system with the privileges of the agent process.

Exploitation Status: Proof-of-Concept (PoC) code has been demonstrated by researchers. While no specific CVE is assigned in the initial disclosure, the technique highlights a critical design flaw in current agent architectures where local services trust input from agents that have interacted with untrusted internet content.

Root Cause:

• Trust in Localhost: The system assumes that traffic to 127.0.0.1 is safe, ignoring that the source of that traffic is an agent compromised by external input.
• Missing Authentication: The MCP WebSocket accepts commands without verifying the origin or integrity of the request beyond the agent's connection.

Detection & Response

Detecting AutoJack requires monitoring for unusual process chains originating from AI agent runtimes (typically Python processes) and interactions with local network services that result in shell execution.

SIGMA Rules

---
title: AutoJack - AI Agent Spawning Shell
id: 55a0b1e2-99c4-4f3d-8e1a-7d2f3b4c5d6e
status: experimental
description: Detects when an AI agent process (e.g., AutoGen/Python) spawns a command shell or utility, indicative of the AutoJack attack chain.
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\python.exe'
      - '\python3.exe'
    ParentCommandLine|contains:
      - 'autogen'
      - 'mcp'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate developer debugging sessions
level: high
---
title: AutoJack - Linux Agent Spawning Shell
id: 88b2c3d4-0e5f-4a6b-9c1d-2e3a4b5c6d7e
status: experimental
description: Detects Linux AI agent processes spawning bash or sh, a potential indicator of AutoJack RCE.
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentExecutable|endswith:
      - '/python3'
      - '/python'
    ParentCommandLine|contains:
      - 'autogen'
      - 'mcp'
  selection_child:
    Image|endswith:
      - '/bash'
      - '/sh'
  condition: all of selection_*
falsepositives:
  - Administrative scripts
level: high

KQL (Microsoft Sentinel / Defender)

// Hunt for AutoJack: Agent processes spawning shells
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName in ("python.exe", "python", "python3") 
| where InitiatingProcessCommandLine has_any ("autogen", "mcp", "websocket")
| where ProcessFileName in ("cmd.exe", "powershell.exe", "bash", "sh", "zsh")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessFileName
| order by Timestamp desc

Velociraptor VQL

-- Hunt for AutoJack: Python agent processes spawning shells
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.CommandLine AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ "python"
  AND Parent.CmdLine =~ "autogen"
  AND Name IN ("cmd", "powershell", "bash", "sh")

Remediation Script (Bash)

This script checks for common indicators of the vulnerable AutoGen Studio setup and attempts to identify listening WebSocket services that may be exposed without authentication.

#!/bin/bash
# AutoJack Detection and Mitigation Check
# Author: Security Arsenal
# Date: 2026-06-18

echo "[*] Checking for AutoGen Studio processes..."
AGENT_PROCS=$(ps aux | grep -i autogen | grep -v grep)
if [ -n "$AGENT_PROCS" ]; then
    echo "[!] WARNING: AutoGen Studio processes detected:"
    echo "$AGENT_PROCS"
else
    echo "[+] No AutoGen Studio processes found."
fi

echo ""
echo "[*] Scanning for unauthenticated MCP WebSocket listeners on localhost..."
# Checking for common websockets or high ports often used by MCP, adjust port range as necessary
LISTENERS=$(ss -tuln | grep "127.0.0.1" | grep LISTEN)
if [ -n "$LISTENERS" ]; then
    echo "[!] Active Localhost Listeners found. Review these ports for MCP exposure:"
    echo "$LISTENERS"
else
    echo "[+] No localhost listeners detected."
fi

echo ""
echo "[*] Mitigation Recommendation:"
echo "1. Restrict agent browsing to specific, trusted allowlists."
echo "2. Ensure MCP WebSocket interfaces require authentication (e.g., tokens)."
echo "3. Apply the latest patches for AutoGen Studio provided by the vendor."

Remediation

To defend against the AutoJack attack chain and secure AI agent infrastructure, Security Arsenal recommends the following immediate actions:

1. Patch and Update: Immediately update AutoGen Studio and any related MCP (Model Context Protocol) libraries to the latest patched versions provided by the vendor. Discontinue the use of versions identified as vulnerable in the Microsoft Security Blog.

2. Implement Strict Allowlisting: Configure AI agents to browse only specific, pre-approved domains. Allowing AI agents to freely browse the open internet exposes the host to this specific class of "indirect injection" attacks.

3. Enforce Authentication on Local Services: Ensure that all local services (especially WebSockets and HTTP endpoints on 127.0.0.1) accessed by agents require strict authentication. Localhost is no longer a trusted zone when an AI agent acts as the bridge.

4. Network Segmentation for Agents: Run AI agents in isolated containers or virtual machines with restricted network access. Do not run agents with elevated privileges or on the same host as sensitive services.

5. Input Sanitization: Review and harden the parameter handling within the agent's tool definitions to prevent arbitrary command injection via the MCP interface.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub