Microsoft warns AI agents are being 'AutoJack'-ed to deliver RCE payloads by browsing untrusted websites
Date:
Fri, 19 Jun 2026 15:20:00 +0000
Description:
Three minor vulnerabilities chained together can cause a lot of trouble but Microsoft fixed it on time.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Microsofts Defender Security Research Team discloses AutoJack, a vulnerability chain in AutoGen Studio enabling RCE via malicious websites Flaws included localhost channel misuse, skipped login checks, and arbitrary code execution, letting agents run attackersupplied programs Issue existed only in early GitHub builds, fixed before release; highlights need for strict authentication and isolation of local control planes Microsoft 's Defender Security Research Team has disclosed a vulnerability chain in AutoGen Studio that lets a single
malicious website achieve remote code execution (RCE) on a device running an AI agent .
AutoGen Studio is a program built by Microsoft Research for developing AI agents. The vulnerability chain was dubbed AutoJack , and it consists of
three flaws which, when looked at separately, arent particularly troubling. Chained together, however, is a whole different story. The technique, which
we call AutoJack, jacks the agent into becoming the attackers last-mile delivery vehicle by crossing the localhost trust boundary that many developer tools rely on, Microsoft explained in its report. Latest Videos From Watch full video here: Patching the bugs First, AutoGen Studio had a local control channel that only accepted connections from localhost, which is a good way to block outside attackers.
However, an AI agent's web browser also counts as localhost, meaning these connections would get accepted, too. Then, for this particular channel, login checks were skipped. You may like Microsoft warns AI chatbots may be sending victims to malicious websites Weak safeguards leave thousands of AI agents open to attack What the OpenClaw vulnerability reveals about the future of agentic AI security
The app had several ways to require a username and password, but the part of the code handling this specific local channel was left wide open.
Finally, the channel would run almost anything it was told to run. Microsofts researchers managed to get an arbitrary program running, meaning threat
actors could do the same, albeit with malicious code, instead. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get
all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
In theory, the attack would work like this: the victim would instruct their
AI agent to summarize a specific website. By doing so, the agent would be
told to download and run malicious code which could be anything from backdoor malware to infostealers.
The good news is that Microsoft found this issue and reported it before the bug ever reached regular users. The official downloadable version of AutoGen Studio never had this problem, since it only existed in an early, in-development version on GitHub. The AutoGen team managed to fix it since then.
If an agent can browse untrusted pages and also talk to privileged local services, loopback can become an attack surface and control planes must be authenticated, authorized, and isolated, Microsoft concluded. The best antivirus for all budgets Our top picks, based on real-world testing and comparisons
Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/microsoft-warns-ai-agents-are-being-aut ojack-ed-to-deliver-rce-payloads-by-browsing-untrusted-websites
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)