Autorun is an operating system feature that automatically executes a program or file when external media (like a USB drive) is connected, which adversaries can exploit to silently run malware without any user action, a key device vulnerability in AP Cybersecurity Unit 4.
Autorun is a feature built into operating systems that automatically launches a program or opens a file the moment external media gets plugged in. Think of inserting a CD that immediately starts an installer, or a USB drive that pops open a setup window on its own. That convenience is exactly what makes it dangerous.
If an adversary drops malware onto a USB drive and configures it to autorun, then plugging that drive into a device can execute the malicious code with no clicking, no opening, no permission prompt. This lines up directly with EK 4.1.C, where adversaries exploit common device vulnerabilities to cause loss, damage, disruption, or destruction. Autorun turns a physical drive into a delivery system for the malware types from EK 4.1.B, like viruses, worms, trojans, and RATs. The fix is straightforward: disable autorun so external media never runs anything automatically.
Autorun lives in Topic 4.1 (Device Vulnerabilities and Attacks) inside Unit 4: Securing Devices. It supports [AP Cybersecurity 4.1.C], explaining how adversaries exploit common device vulnerabilities, and feeds into [AP Cybersecurity 4.1.D], assessing and documenting the risk those vulnerabilities create. It matters because it's a concrete example of a vulnerability that requires zero user interaction once the media is connected. That makes it a clean test case for the difference between an attack that needs a user to click something and one that doesn't.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryMalware delivery: viruses, worms, and trojans (Unit 4)
Autorun is a delivery method, not the payload. A virus normally needs a user to open a file, but pairing it with autorun removes that step, so the malware fires the instant the drive connects.
Unpatched software exploits (Unit 4)
Both autorun and unpatched software (EK 4.1.C.1) let an adversary run their own code on your device. The difference is the doorway: one uses a physical drive, the other uses a known software flaw.
Risk assessment of device vulnerabilities (Unit 4)
Under EK 4.1.D, you weigh risk by how critical the device is. Autorun on a USB plugged into a server holding sensitive data is far higher risk than the same on an isolated personal laptop.
RAT and command and control (Unit 4)
Autorun can be the first stage that drops a remote access trojan. Once the RAT runs, it phones home to a C2 server, turning a one-time USB plug-in into ongoing remote control of the device.
Expect autorun in multiple-choice questions about device exploitation. One stem asks which scenario best shows an adversary exploiting autorun, so you need to recognize the pattern: malicious code on external media that runs automatically when connected. Another asks which security measure directly addresses the autorun vulnerability, and the answer is disabling autorun, not a generic fix like patching or a firewall. Connect autorun to the broader idea that some exploits need user action and some don't. No released FRQ has used the term verbatim, but it fits the kind of vulnerability-and-mitigation reasoning the exam rewards.
Both are device vulnerabilities, but they're attacked differently. Autorun exploits physical external media that auto-executes code, while open ports let an adversary connect over the network to services running without firewall protection. Autorun needs a drive plugged in; open ports need network access.
Autorun automatically executes a program or file the moment external media like a USB drive is connected, with no user click required.
Adversaries exploit autorun to silently deliver malware, so it's a delivery method rather than a type of malware itself.
The direct fix for the autorun vulnerability is to disable autorun, not to patch software or add a firewall.
Autorun maps to Topic 4.1 and supports learning objective [AP Cybersecurity 4.1.C] on exploiting common device vulnerabilities.
The risk from autorun rises with how critical the device is, which ties it to risk assessment under [AP Cybersecurity 4.1.D].
Autorun is an operating system feature that automatically runs a program or opens a file when external media is connected. In Unit 4 it's treated as a device vulnerability because adversaries can put malware on a USB drive and have it execute the instant the drive is plugged in.
No. Autorun is a legitimate OS feature, not malware. The danger is that adversaries abuse it to automatically execute malicious code like viruses, worms, or RATs from external media without any user action.
Autorun is exploited through physical external media that auto-executes code when connected, while open ports are exploited over the network when services run without firewall protection. One needs a drive plugged in; the other needs network access to unprotected services.
Disable autorun so external media never runs anything automatically. On the exam, the security measure that directly addresses this vulnerability is turning off autorun, not generic defenses like patching or installing a firewall.
Because once the drive is connected, no user interaction is needed; the code runs on its own. That makes it an effective first stage for dropping malware, including a RAT that then connects to a command and control server for ongoing remote control.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.