AWS Bedrock AgentCore Flaw Enables Stealthy C2 Channels and Data Theft

A newly disclosed vulnerability in AWS Bedrock AgentCore Code Interpreter has raised serious concerns after researchers demonstrated a method to bypass its sandbox isolation and establish covert command-and-control (C2) channels.

The issue, assigned a CVSS v3 score of 7.5, enables attackers to exfiltrate sensitive data and execute remote commands through DNS traffic without triggering traditional network defenses.

The flaw was discovered by BeyondTrust’s Phantom Labs and publicly disclosed on March 16, 2026. It affects the “Sandbox” network mode of the AgentCore Code Interpreter, a feature designed to safely execute dynamic code such as Python or shell scripts within isolated environments.

Sandbox Isolation Bypass via DNS

AWS promotes the sandbox as a secure execution environment powered by Firecracker microVMs, offering strong compute isolation.

However, researchers found a critical gap in the network layer: outbound DNS requests are allowed, specifically for A and AAAA record lookups.

This seemingly minor allowance creates a powerful attack vector. If an attacker gains code execution inside the interpreter through prompt injection, malicious AI-generated code, or supply chain compromise, they can abuse DNS queries to communicate with an external server.

The attack works by continuously polling an attacker-controlled DNS server. Commands are sent back to the compromised environment encoded within IP addresses returned in DNS responses.

These values are reconstructed into executable instructions inside the sandbox.

At the same time, the compromised system exfiltrates data by encoding it into DNS subdomain queries using base64 chunks.

This results in a fully functional, bidirectional C2 channel that operates entirely over DNS traffic.

The impact becomes more severe when the Code Interpreter is assigned overly permissive AWS Identity and Access Management (IAM) roles.

Researchers demonstrated that attackers could leverage these permissions to query other AWS services, including S3 buckets and DynamoDB.

Through the DNS-based C2 channel, attackers can:

• Enumerate cloud resources
• Access sensitive files
• Extract personally identifiable information (PII), API keys, and financial data

Because all communication occurs over DNS, standard monitoring tools focused on HTTP or TCP traffic may fail to detect the activity. This significantly increases the stealth and persistence of such attacks.

AWS Response and Mitigation Guidance

AWS has not patched the behavior, instead clarifying in its documentation that DNS resolution is intentionally allowed in Sandbox mode. This places the responsibility on organizations to secure their deployments.

Security teams are advised to:

• Audit all active AgentCore Code Interpreter instances
• Avoid using Sandbox mode for sensitive workloads
• Migrate critical environments to VPC mode for strict network isolation
• Implement Route53 DNS Firewall and network ACLs to control outbound traffic
• Enforce least privilege IAM roles to limit access to only necessary resources

This vulnerability highlights the evolving risks in AI-integrated cloud services, where traditional isolation assumptions may not hold.

Organizations must adapt their security strategies to account for unconventional channels like DNS-based exfiltration, especially in environments executing dynamic or AI-generated code.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post AWS Bedrock AgentCore Flaw Enables Stealthy C2 Channels and Data Theft appeared first on Cyber Security News.