A significant security flaw in AWS Bedrock AgentCore Code Interpreter’s “Sandbox” network mode, a feature advertised by AWS as providing complete network isolation that allows outbound DNS queries, enabling threat actors to establish covert command-and-control (C2) channels and exfiltrate sensitive data.

AWS Bedrock AgentCore Code Interpreter is a managed service that allows AI agents and chatbots to execute Python, JavaScript, and shell code on behalf of users, similar to how ChatGPT’s code interpreter processes uploaded files and returns analytical results.

The service offers three network modes: Public, VPC, and Sandbox, with Sandbox originally documented by AWS as providing “complete isolation with no external access.”

BeyondTrust Phantom Labs researchers found a critical gap in that guarantee. Despite Sandbox mode blocking general internet traffic, DNS A and AAAA record queries were permitted to egress the sandbox freely.

Researchers confirmed this behavior using Interactsh, an out-of-band testing server, which received DNS queries from inside the sandboxed Code Interpreter even though the instance was configured with no network access. This single oversight rendered the entire isolation model ineffective.

Building a Full Reverse Shell over DNS

Phantom Labs went beyond simply identifying the DNS leak; they engineered a fully functional bidirectional DNS C2 protocol to prove the severity of the bypass.

Commands were delivered to the sandboxed interpreter via DNS A record responses, where each IP address octet encoded ASCII characters of base64-encoded command chunks. For example, the command whoami encoded as base64 d2hvYW1p would be split across multiple DNS responses, with the first octet indicating whether more chunks remained.

Output exfiltration flowed in the reverse direction, with the Code Interpreter embedding base64-encoded command results into DNS subdomain queries up to 60 characters per DNS label, which were captured by an attacker-controlled EC2 instance acting as a nameserver.

This gave researchers a fully interactive reverse shell operating entirely over DNS, completely bypassing the network isolation that Sandbox mode promised.

The attack’s danger compounds significantly because Code Interpreter instances operate with an assigned IAM role. Researchers demonstrated that through the DNS shell, they could run AWS CLI commands using the interpreter’s IAM credentials to list S3 buckets, retrieve sensitive files, including customer PII, API credentials, and financial records, all exfiltrated silently over DNS.

The AgentCore Starter Toolkit’s default IAM role, as documented in AWS’s open-source repository, grants sweeping permissions, including full S3 read access, full DynamoDB access, and unrestricted Secrets Manager access, a severe violation of the principle of least privilege.

Responsible Disclosure and AWS’s Response

BeyondTrust responsibly disclosed the vulnerability to AWS via HackerOne (Report #3323153) on September 1, 2025, initially scoring a CVSSv3 of 8.1, later revised to 7.5. AWS reproduced and acknowledged the issue, deployed an initial fix on November 1, 2025, but subsequently rolled it back.

On December 23, 2025, AWS communicated that no permanent fix would be issued, instead updating documentation to clarify that Sandbox mode permits DNS resolution and recommending customers migrate to VPC mode for true isolation. AWS awarded the reporting researcher a $100 AWS Gear Shop gift card. Public disclosure occurred on March 16, 2026.

This vulnerability intersects dangerously with the expanding AI attack surface. Attackers do not need direct shell access to trigger exploit-prompt injection attacks; supply chain compromises within the Code Interpreter’s 270+ third-party dependencies (including pandas and numpy), or manipulation of AI-generated Python code could serve as the initial vector, with the DNS C2 channel acting as the persistent exfiltration mechanism.

Prior related research by Sonrai Security also demonstrated credential exfiltration from AgentCore sandboxes via the Firecracker microVM Metadata Service, underscoring a broader pattern of isolation weaknesses in AgentCore’s architecture.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.