Amazon Web Services (AWS) is facing new security concerns after researchers uncovered a vulnerability in its Bedrock AgentCore Code Interpreter that allows attackers to bypass sandbox isolation and establish covert command-and-control (C2) channels. The flaw, assigned a CVSS score of 7.5, was discovered by BeyondTrust Phantom Labs and publicly disclosed on March 16, 2026. It impacts the “Sandbox” network mode, which is designed to securely execute dynamic code such as Python and shell scripts in isolated environments.

AWS promotes its sandbox environment as secure, powered by Firecracker microVMs to ensure strong isolation. However, researchers identified a critical weakness in the network layer outbound DNS requests are permitted, specifically for A and AAAA record queries. This allowed functionality opens a stealthy attack path. If an attacker gains code execution within the interpreter via prompt injection, malicious AI-generated code, or supply chain compromise they can exploit DNS queries to communicate with external servers.

The attack operates by continuously querying an attacker-controlled DNS server. Commands are encoded into IP addresses returned in DNS responses, which are then reconstructed into executable instructions inside the sandbox. Simultaneously, sensitive data is exfiltrated by encoding it into DNS subdomains using base64 fragments. This creates a bidirectional C2 channel entirely over DNS traffic, making detection significantly more difficult.

The severity increases when the Code Interpreter is assigned overly permissive AWS Identity and Access Management (IAM) roles. Researchers demonstrated that attackers could leverage these privileges to interact with other AWS services such as S3 buckets and DynamoDB.

Through the DNS-based channel, attackers can:

  • Enumerate cloud resources

  • Access sensitive storage data

  • Extract PII, API keys, and financial information

Because the communication relies solely on DNS, traditional monitoring tools focused on HTTP or TCP traffic may fail to detect the activity, allowing attackers to remain stealthy and persistent. AWS has not issued a direct patch, stating that DNS resolution is intentionally allowed within Sandbox mode. As a result, the responsibility for mitigation falls on organizations using the service.

Security experts recommend the following actions:

  • Audit all active AgentCore Code Interpreter instances

  • Avoid using Sandbox mode for sensitive workloads

  • Shift critical workloads to VPC mode for stricter network isolation

  • Implement Route53 DNS Firewall and network ACLs to restrict outbound DNS traffic

  • Enforce least-privilege IAM policies to minimize access risks

This vulnerability underscores the evolving risks associated with AI-powered cloud services. As organizations increasingly rely on dynamic and AI-generated code execution, traditional security assumptions such as sandbox isolation may no longer be sufficient. The incident highlights the need for modern security strategies that account for unconventional attack channels like DNS-based exfiltration, especially in cloud environments handling sensitive data.

Recommended Cyber News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com