AWS Bedrock Sandbox Vulnerability Enables DNS-Based Data Exfiltration

AWS Bedrock Sandbox Vulnerability Enables DNS-Based Data Exfiltration

First seen 17 Mar 2026, 11:21 UTC Infosecurity-MagazineCsoonlineCybersecuritynewsTechnaduScworld+2 85% similarity 67.5

Article Content

Browse articles
ThreatCluster

A security flaw in AWS Bedrock's AgentCore Code Interpreter allows attackers to bypass network isolation through DNS queries. Researchers from BeyondTrust demonstrated that the sandbox mode permits outbound DNS queries for A and AAAA records, enabling covert command-and-control (C2) channels. This vulnerability can lead to data exfiltration and remote command execution if the associated IAM roles are overly permissive. AWS acknowledged the issue but classified it as intended functionality rather than a defect, opting not to issue a patch. The flaw was reported to AWS on September 1, 2025, with an initial fix rolled back in November 2025. The findings emphasize the architectural inadequacies of perimeter controls in AI execution environments. Organizations using AWS Bedrock are advised to audit their configurations and consider migrating sensitive workloads to VPC mode for enhanced security.

Key Points: • AWS Bedrock's sandbox mode allows DNS queries, enabling data exfiltration. • Attackers can establish covert C2 channels if IAM roles are overly permissive. • AWS determined the behavior is intended and will not issue a patch.

ThreatCluster AI

Timeline

2025-09-01
BeyondTrust reported the vulnerability to AWS.
2025-11-01
AWS rolled back an initial fix for the vulnerability.
2025-12-01
AWS informed BeyondTrust that no patch would be issued.
2026-03-16
Phantom Labs published a report detailing the vulnerability.
2026-03-17
Multiple news articles reported on the vulnerability.

Community

Browse all →