AWS Bedrock AgentCore - Critical Sandbox Bypass Vulnerability
Basically, a flaw in AWS lets hackers secretly control systems and steal data.
A serious flaw in AWS Bedrock's Sandbox mode allows attackers to create covert C2 channels and exfiltrate sensitive data. Users must transition to VPC mode for better security.
The Flaw
AWS Bedrock AgentCore's Sandbox mode was designed to provide complete network isolation. However, researchers from BeyondTrust discovered a critical flaw that undermines this promise. The Sandbox mode allows outbound DNS queries, which should not be possible in a truly isolated environment. This oversight enables threat actors to establish covert command-and-control (C2) channels, putting sensitive data at risk.
The researchers confirmed this vulnerability by using an out-of-band testing server, Interactsh, which received DNS queries from within the supposedly isolated environment. This single oversight effectively rendered the entire isolation model useless, allowing unauthorized access to sensitive information.
What's at Risk
The implications of this vulnerability are severe. The Code Interpreter, which allows AI agents to run code, operates with an assigned IAM role that grants extensive permissions. Through the discovered DNS shell, attackers can execute AWS CLI commands, potentially accessing sensitive data like customer personally identifiable information (PII), API credentials, and financial records. This poses a significant risk to both individual users and organizations relying on AWS services for data security.
Moreover, the default IAM role associated with the AgentCore Starter Toolkit provides full access to S3, DynamoDB, and Secrets Manager. This violates the principle of least privilege, making it easier for attackers to exploit the system.
Patch Status
BeyondTrust responsibly disclosed this vulnerability to AWS on September 1, 2025, initially scoring a CVSSv3 of 8.1, which was later adjusted to 7.5. AWS acknowledged the issue and attempted an initial fix on November 1, 2025, but this fix was rolled back. On December 23, 2025, AWS announced that no permanent fix would be issued, instead advising users to migrate to VPC mode for true isolation.
AWS has updated its documentation to clarify the limitations of Sandbox mode, but the lack of a robust fix raises concerns about the effectiveness of their security measures. Public disclosure of the vulnerability occurred on March 16, 2026, highlighting the urgency of addressing this issue.
Immediate Actions
Organizations using AWS Bedrock should take immediate action to mitigate risks associated with this vulnerability. Transitioning from Sandbox mode to VPC mode is crucial for ensuring true network isolation. Additionally, reviewing IAM roles and permissions is essential to limit access to sensitive data and reduce potential attack surfaces.
It's also important to monitor for any unusual DNS activity that may indicate exploitation attempts. Regular security assessments and updates to security protocols can help organizations stay ahead of potential threats stemming from this vulnerability. As the landscape of AI and cloud services evolves, maintaining vigilance is key to safeguarding sensitive information.
Cyber Security News