Researchers have shown a way to get around the sandbox isolation of AWS Bedrock AgentCore Code Interpreter, which has raised serious concerns about a newly discovered vulnerability This article explores sandbox isolation aws. . This could allow attackers to set up secret command-and-control (C2) channels.

The problem has a CVSS v3 score of 7.5 and lets attackers steal sensitive information and run commands from afar through DNS traffic without setting off traditional network defenses. BeyondTrust's Phantom Labs found the flaw and made it public on March 16, 2026. It has an effect on the AgentCore Code Interpreter's "Sandbox" network mode, which is meant to run dynamic code like Python or shell scripts safely in separate environments. DNS AWS promotes the sandbox as a safe place to run code with Firecracker microVMs, which provide strong compute isolation.

Researchers, on the other hand, found a big hole in the network layer: it lets outbound DNS requests through, but only for A and AAAA record lookups. This small allowance makes a strong attack vector. If an attacker gets code execution inside the interpreter through prompt injection, malicious AI-generated code, or a supply chain breach, they can use DNS queries to talk to a server outside of the network.

The attack works by constantly checking in with a DNS server that the attacker controls. Commands are sent back to the hacked environment through IP addresses that are sent back in DNS responses. The sandbox turns these values back into instructions that can be run. At the same time, the hacked system steals data by encoding it into DNS subdomain queries with base64 chunks.

This makes a fully working, two-way C2 channel that only uses DNS traffic. The effect gets worse when the Code Interpreter is given AWS Identity and Access Management (IAM) roles that are too permissive. Researchers showed that attackers could use these permissions to ask other AWS services questions, like S3 buckets and DynamoDB.

Attackers can use the DNS-based C2 channel to: Count the resources in the cloud Get to private files Get personally identifiable information (PII), API keys, and financial information Standard monitoring tools that only look at HTTP or TCP traffic might not see the activity because all communication happens over DNS. This makes these kinds of attacks much more stealthy and long-lasting.

AWS Response and Advice on How to Fix It AWS hasn't fixed the problem; instead, they've made it clear in their documentation that DNS resolution is allowed in Sandbox mode. This means that companies are in charge of keeping their deployments safe. Security teams should: Check all active Code for AgentCore Instances of an interpreter Don't use Sandbox mode for important tasks Move important environments to VPC mode to keep networks completely separate.

Set up Route53 DNS Firewall and the network ACLs to manage traffic going out Use least privilege IAM roles to make sure that only the people who need to can get to certain resources. This vulnerability shows that the risks in AI-integrated cloud services are changing, and traditional ideas about how to keep things separate may not work.

Organizations need to change their security plans to include unusual channels like DNS-based exfiltration, especially in places where dynamic or AI-generated code is running. Make ZeroOwl your first choice in Google