AutoJack Exploit Chain Hits Microsoft AutoGen Studio With Zero-Click RCE Attack

A critical exploit chain called AutoJack abuses AutoGen Studio’s Model Context Protocol WebSocket to escalate a browsing agent’s localhost identity into remote code execution on the host by chaining three weaknesses (CWE-1385, CWE-306, CWE-78). Proof-of-concept demonstrates arbitrary command execution (e.g., `calc.exe`) when an agent renders attacker-controlled content; fixes were committed (b047730) and the vulnerable MCP route was not included in the published PyPI package (`autogenstudio 0.4.2.2`). Recommended mitigations include installing the PyPI release or a patched build, isolating agent identity, allowlisting invoked executables, and not running browsing agents on machines hosting untrusted content.