A critical security vulnerability has been identified in AWS Bedrock AgentCore Code Interpreter’s Sandbox network mode. Initially promoted by AWS as providing complete network isolation, the feature allows outbound DNS queries, creating a pathway for threat actors to establish covert command-and-control (C2) channels and exfiltrate sensitive data.
Background on AWS Bedrock AgentCore
The AWS Bedrock AgentCore Code Interpreter is a managed service facilitating AI agents and chatbots to execute code in Python, JavaScript, and shell languages. Similar to ChatGPT’s code interpreter, it processes uploaded files and provides analytical results. The service offers three network modes: Public, VPC, and Sandbox, with the latter initially described by AWS as having ‘complete isolation with no external access.’
However, researchers at BeyondTrust Phantom Labs uncovered a significant flaw. Despite blocking general internet traffic, the Sandbox mode allowed DNS A and AAAA record queries to exit the sandbox without restriction. This discovery was confirmed using Interactsh, an out-of-band testing server, which received DNS queries from the sandbox even when network access was supposedly restricted.
Exploiting the DNS Leak
The researchers didn’t stop at identifying the DNS leak; they engineered a fully operational bidirectional DNS C2 protocol to demonstrate the vulnerability’s gravity. Commands were transmitted to the sandboxed interpreter via DNS A record responses, encoding ASCII characters of base64-encoded command chunks within IP address octets. For instance, the command ‘whoami’ encoded in base64 as ‘d2hvYW1p’ was split across multiple DNS responses, with octets indicating remaining chunks.
Output exfiltration happened in reverse, with the Code Interpreter embedding encoded command results into DNS subdomain queries up to 60 characters per label. These were captured by an attacker-controlled EC2 instance acting as a nameserver, allowing a fully interactive reverse shell to operate entirely over DNS, bypassing the promised network isolation.
Implications and AWS’s Response
The attack’s severity is heightened due to Code Interpreter instances operating with an assigned IAM role, enabling attackers to execute AWS CLI commands using the interpreter’s credentials. This allowed researchers to list S3 buckets and retrieve sensitive files, including customer PII, API credentials, and financial records, all exfiltrated covertly over DNS.
BeyondTrust disclosed the vulnerability to AWS via HackerOne on September 1, 2025, initially scoring it with a CVSSv3 rating of 8.1, later revised to 7.5. Although AWS acknowledged the issue and deployed an initial fix, it was rolled back. As of December 23, 2025, AWS stated that no permanent fix would be issued, instead recommending customers shift to VPC mode for true isolation. Public disclosure was made on March 16, 2026.
This vulnerability highlights significant risks within the expanding AI attack surface. Attackers don’t need direct shell access to exploit vulnerabilities; supply chain compromises or manipulation of AI-generated code could serve as the initial vector, with the DNS C2 channel providing persistent exfiltration. Prior research by Sonrai Security also identified credential exfiltration from AgentCore sandboxes, indicating broader architectural isolation weaknesses.
