BeyondTrust's Phantom Labs team discovered that AWS Bedrock AgentCore's 'Sandbox' mode, advertised as providing complete isolation, allows outbound DNS queries that can be exploited to create a bidirectional command-and-control channel. By encoding data into DNS queries and responses, researchers demonstrated data exfiltration and an interactive reverse shell without triggering network restrictions. AWS acknowledged the issue, briefly deployed a fix in November 2025, then rolled it back and ultimately classified the behavior as 'intended functionality,' updating documentation instead of patching. The researcher received a $100 gift card. Security experts recommend inventorying AgentCore instances, migrating to VPC mode, and deploying deception artifacts like canary IAM credentials and DNS sinkholes as mitigations.
Sort: