BeyondTrust shows how AWS Bedrock AgentCore’s ‘isolated’ environment can be tricked into data exfiltration and command execution via DNS.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

BeyondTrust's Phantom Labs team discovered that AWS Bedrock AgentCore's 'Sandbox' mode, advertised as providing complete isolation, allows outbound DNS queries that can be exploited to create a bidirectional command-and-control channel. By encoding data into DNS queries and responses, researchers demonstrated data exfiltration and an interactive reverse shell without triggering network restrictions. AWS acknowledged the issue, briefly deployed a fix in November 2025, then rolled it back and ultimately classified the behavior as 'intended functionality,' updating documentation instead of patching. The researcher received a $100 gift card. Security experts recommend inventorying AgentCore instances, migrating to VPC mode, and deploying deception artifacts like canary IAM credentials and DNS sinkholes as mitigations.

AWS Bedrock’s ‘isolated’ sandbox comes with a DNS escape hatch