Research
AWS Bedrock AgentCore 'Sandbox' Bypassed via DNS: BeyondTrust Discloses C2 Channel and Full Data Exfiltration
BeyondTrust Phantom Labs disclosed (March 16) that AWS Bedrock AgentCore's Code Interpreter Sandbox permits outbound DNS queries, enabling covert C2 channels and exfiltration of PII, API keys, and financial data. Commands are encoded as chunked ASCII in DNS A-record IP responses; output is exfiltrated via base64-encoded DNS subdomain queries. AWS declined to patch—updating docs to call DNS resolution 'intended functionality'—and awarded a CVSS 7.5, leaving the attack surface open for all Bedrock AgentCore users today.
↳ Follow the thread