CybersecurityVulnerability Management

Microsoft Fixes AutoGen Studio Flaw That Enabled Code Execution

Analyst 207||Source: BleepingComputer
Modern software development setting with a laptop displaying a graphical interface on a neutral surface.

"This issue was identified and remediated before any PyPI release, so the affected code never shipped in a published package," Microsoft says.

AutoJack attack chain: three concrete weaknesses in AutoGen Studio

Microsoft described a multi-step vulnerability chain it has named AutoJack that existed in AutoGen Studio, the graphical interface for AutoGen — Microsoft’s open-source framework for building multi-agent AI systems. The company broke the chain into three specific weaknesses. First, the MCP WebSocket trusted connections that appeared to originate from localhost, allowing a browsing agent running on the same machine to be tricked into loading attacker-controlled JavaScript that seemed to come from a trusted local source. Second, AutoGen Studio's authentication middleware excluded the /api/mcp/* routes from authentication checks while the MCP WebSocket endpoint itself failed to implement authentication, leaving the endpoint accessible without credentials. Third, the MCP WebSocket accepted a base64-encoded server_params value from the URL and passed it to the process-launching code, enabling attackers to specify and execute arbitrary PowerShell or Bash commands, or launch executables.

How a realistic exploit would unfold

Microsoft laid out a plausible attack scenario. A developer’s AI agent visits a malicious webpage; JavaScript on that page runs in the agent’s browsing context and opens a WebSocket to AutoGen Studio’s local MCP endpoint. Because the WebSocket was trusted and unauthenticated, the page could deliver a payload that included a server_params value instructing AutoGen Studio to launch a command. The command would run with the privileges of the developer’s account. As a proof-of-concept, Microsoft demonstrated this by launching the Windows Calculator from the agent-driven payload.

Who was actually exposed: GitHub builds, not PyPI installs

Microsoft emphasised that exposure was limited. The affected code never shipped in a published package on the Python Package Index, so users who installed AutoGen Studio from PyPI were not exposed to the AutoJack weaknesses. The current published package, autogenstudio 0.4.2.2, does not contain the vulnerable code. Instead, the window of impact was confined to developers who built AutoGen Studio directly from the project’s main GitHub branch during the period between the MCP plugin landing and a subsequent hardening commit identified as b047730.

Fixes applied and operational guidance from Microsoft and the maintainer

Microsoft says the issue was identified and remediated before any PyPI release, meaning the vulnerable code was corrected during development. The project maintainer also issued operational guidance: deploy AutoGen Studio "strictly as a developer prototype in an isolated environment" that is not exposed to the internet, and do not run the project with an agent capable of browsing or executing arbitrary code on a machine that handles untrusted content. The maintainer further advised running AutoGen Studio under a low-privilege account in a sandboxed user profile or container so that any future agent-driven remote code execution would be contained to a development profile rather than a user’s daily-driver account.

What this means for developers, security teams, and end users

  • Developers who build from the GitHub main branch: If you built AutoGen Studio from source during the specified window before commit b047730, you were the population Microsoft identified as affected; you should verify your local codebase and redeploy only patched commits or the published autogenstudio 0.4.2.2 package.
  • Security teams in organizations using developer prototypes: The attack model shown — a malicious webpage triggering local WebSocket commands that spawn processes — reinforces Microsoft’s recommendation to isolate prototypes from internet-facing networks and to run them under least-privilege or containerized profiles.
  • End users and PyPI consumers: If you installed AutoGen Studio from PyPI, Microsoft states you were not exposed, because the affected code never reached published packages.

AutoGen is a widely used open-source framework that lets agents collaborate, use tools, browse the web, execute code, interact with APIs, and connect to external systems; Microsoft notes the project has more than 59,000 stars and nearly 9,000 forks on GitHub. The company’s disclosure frames AutoJack as a development-time mistake that was corrected before release, but it also serves as a reminder that powerful agent capabilities — browsing, process launching, and tool use — can multiply risk when local endpoints trust or accept unauthenticated inputs.

Read the original report: https://www.bleepingcomputer.com/news/security/microsoft-fixes-autogen-studio-flaw-that-enabled-code-execution/

Code ExecutionEmerging ThreatsMicrosoftSupply ChainVulnerability ChainAI SystemsOpen-Source FrameworkAutogen StudioAutojack
Related Intelligence

Continue Reading

A coach sits at a table with an open laptop displaying heart rate and sleep data.

Wearables Expose Athletes to Data Abuse Risks

Imagine a coach scrutinizing an athlete's sleep and heart-rate logs to gauge their off-field behavior - a chilling invasion of privacy that's not as far-fetched as it sounds. As wearables become ubiquitous, athletes face growing risks of data abuse, from compromised privacy to unfair advantages in high-stakes competitions.

Analyst 207
Laptop on a neutral surface with a blurred background and a soft gradient on the screen.

Microsoft Unveils Windows 11 26H2 Upgrade Path

Get ready for the next big update to Windows 11, as Microsoft kicks off testing for version 26H2 with Windows Insiders in the Dev Channel. This upcoming annual update promises a seamless experience for organizations and IT pros, with a surprisingly small 174 KB enablement package for devices already running Windows 11 24H2 and 25H2.

Analyst 207
Professional surrounded by technology and learning materials in a bright room.

Cybersecurity Readiness Revolution Gains Momentum

The traditional cybersecurity certification approach is no longer enough - we need a culture of lifelong learning where professionals continually upskill and reskill to stay ahead of evolving threats. Dan Magnotta, Senior Federal Business Development Manager at Hack The Box, is leading the charge towards an active-readiness revolution.

Analyst 207
Rows of computer servers and storage equipment in a brightly-lit data center or server room.

Dify Vulnerabilities Expose AI Chats Across Tenants

Researchers have uncovered four critical vulnerabilities in Dify, a popular AI platform with over 146,000 GitHub stars, that could allow attackers to read sensitive AI conversations across different customer applications without needing authentication. These flaws, collectively known as DifyTap, expose a broad attack surface due to Dify's default multi-tenant setup.

Analyst 207