Summary
Key Points:
- An exploit chain named AutoJack was discovered in AutoGen Studio, allowing untrusted web content to execute arbitrary commands on the host via a local Model Context Protocol (MCP) WebSocket.
- The vulnerability affects systems running AutoGen Studio where an agent can browse untrusted content and interact with privileged local services, leading to potential remote code execution (RCE).
- Recommended actions include isolating AutoGen Studio in a secure environment, implementing strict authentication for control planes, and avoiding running browsing agents alongside untrusted content.
Technical Details: The exploit leverages three weaknesses: a localhost-only origin allowlist that can be bypassed by local agents, missing authentication for critical MCP paths, and the ability to execute arbitrary commands via base64-decoded parameters. This results in RCE without user interaction.
MITRE ATT&CK Techniques:
- T1078 - Valid Accounts (Defense Evasion)
- T1190 - Exploit Public-Facing Application (Initial Access)
- T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
IOCs Mentioned: None mentioned.
Join the discussion — sign up to comment, upvote, and save articles.