AWS Bedrock AgentCore Sandbox Escape Enables Stealthy C2 and Data Exfiltration
BeyondTrust’s Phantom Labs has disclosed a security shortcoming in AWS Bedrock AgentCore’s Code Interpreter, showing that the service’s “Sandbox” network mode does not fully block outbound communication as originally advertised.
The issue hinges on allowed public DNS queries, which can be abused to establish command‑and‑control (C2) channels and exfiltrate data over DNS, even when the environment is configured to appear isolated.
AWS originally described Sandbox mode as offering “complete isolation with no external access,” yet Phantom Labs found that A and AAAA DNS queries remain permitted for resolution. This small “escape hatch” is enough to build a bidirectional C2 tunnel where an attacker can:
- Establish a full interactive reverse shell via a custom DNS‑based protocol
- Exfiltrate sensitive data through DNS queries
- Perform command execution under the Code Interpreter’s IAM role, provided that role has access to AWS resources such as S3, DynamoDB, or Secrets Manager.
In structured testing, the team demonstrated real‑world impact: they could list S3 buckets, enumerate objects, and pull down PII‑rich CSVs, API‑key JSONs, and confidential financial data all via DNS channels, while the sandbox configuration still reported “no external network access.”
The vulnerability was responsibly disclosed to AWS via HackerOne (Report #3323153) in September 2025, with an initial CVSSv3 score of about 8.1, later revised to 7.5. AWS acknowledged the behavior, reproduced the interactive‑shell PoC, deployed a short‑lived fix, then rolled it back and ultimately decided not to patch the underlying behavior.
Instead, AWS updated its documentation to clarify that Sandbox mode allows limited external network access, including DNS resolution, and recommends using VPC Mode for organizations that require full network control and isolation.
The risk is not just that the sandbox “leaks” DNS; it’s that getting code execution inside the Code Interpreter is often easier in AI contexts than in traditional environments. Prompt injection (direct or indirect), compromised third‑party libraries, and AI‑generated code can all be used to trick an agent into running malicious payloads that then abuse the DNS channel.
Because the Code Interpreter runs inside Firecracker microVMs, AWS has strong compute‑level isolation. Still, the network‑layer assumption of “no external access” breaks down at the DNS layer, undermining the perceived defense‑in‑depth boundary.
Since AWS has chosen not to alter the behavior of Sandbox mode, defenders must:
- Inventory all AgentCore Code Interpreter instances, their network modes, and their IAM roles, and remove broad or unnecessary permissions.
- Assume Sandbox mode does not provide full network isolation; DNS‑based exfiltration is possible by design.
- Migrate sensitive workloads to VPC Mode, where VPC endpoints, security groups, network ACLs, and DNS‑level controls (such as Route 53 Resolver DNS Firewall) can be used to block suspicious domains and monitor anomalous DNS traffic.
- Enforce strict least‑privilege IAM roles for Code Interpreter, separate from roles used by other AgentCore components, and combine code‑review and guardrails to reduce the risk of prompt‑injection‑driven payload injection.
This research underscores a growing pattern: as AI systems autonomously execute code, subtle network‑layer behaviors such as “allowed DNS for S3 operations” can become critical attack surfaces.
DNS‑based exfiltration is not new, but it now applies to managed AI code‑execution environments that many organizations treat as “fully isolated.” By open‑sourcing their PoC tooling, Phantom Labs aims to help the industry rethink isolation assumptions and harden AI‑powered agents before they become standard in production data‑handling pipelines.
Site: cybersecuritypath.com
About the Author
