AWS Bedrock Vulnerability Exposes Sensitive Data via DNS Exfiltration
Cybersecurity researchers at Phantom Labs (the research arm of BeyondTrust) uncovered a critical flaw in AWS Bedrock’s AgentCore Code Interpreter, a tool enabling AI chatbots to execute code for tasks like data analysis. The vulnerability, discovered by lead researcher Kinnaird McQuade, allowed attackers to bypass AWS’s Sandbox mode designed to isolate AI-generated code from external networks and exfiltrate sensitive data via DNS queries.
The Exploit: DNS as a Covert Channel
While Sandbox mode blocks most outbound traffic, it permits DNS requests (A and AAAA records), which attackers exploited to smuggle data. Researchers demonstrated a proof-of-concept (PoC) command-and-control channel, encoding stolen information in chunked ASCII within DNS subdomains and establishing a two-way communication path with the isolated AI. This method effectively circumvented AWS’s security controls, even in supposedly air-gapped environments.
AWS’s Response: A Failed Fix and Documentation Update
Phantom Labs disclosed the flaw to AWS in September 2025, prompting an initial patch in November 2025. However, AWS withdrew the fix two weeks later due to technical issues and, by December 2025, opted against a new patch. Instead, AWS updated its documentation to warn users of the risk, assigning the vulnerability a high-severity score of 7.5/10. As part of responsible disclosure, McQuade received a $100 AWS gift card for the finding.
Broader Risks: AI Manipulation and Supply Chain Threats
The vulnerability highlights multiple attack vectors:
- Prompt injection: Malicious inputs could trick AI into executing unauthorized code.
- Supply chain attacks: The Code Interpreter relies on 270+ third-party libraries (e.g., pandas, numpy), any of which could be compromised to create backdoors.
- Overprivileged access: AI tools often have broad permissions to Amazon S3 storage and Secrets Manager, enabling attackers to extract passwords, customer data, or even delete infrastructure if the DNS leak is exploited.
Industry Reactions and Mitigation Strategies
Security experts criticized AWS’s reliance on perimeter-based controls, noting that AI environments require deeper safeguards. Ram Varadarajan (CEO, Acalvio) argued that traditional defenses fail against AI-driven threats, advocating for deception-based security such as honey IAM credentials and DNS sinkholes to detect malicious activity.
Jason Soroko (Senior Fellow, Sectigo) emphasized the urgency of proactive measures, given AWS’s decision to address the flaw through documentation rather than a patch. He recommended:
- Migrating critical AgentCore instances from Sandbox to VPC mode for stricter network isolation.
- Enforcing least-privilege IAM roles to limit AI tool permissions.
The incident underscores the growing risks of AI-powered code execution, where even sandboxed environments may harbor exploitable gaps.
Source: https://hackread.com/data-leak-risk-in-aws-bedrock-ai-code-interpreter/
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
"id": "AMA1773707045",
"linkid": "amazon-web-services",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of AWS Bedrock’s '
'AgentCore Code Interpreter',
'industry': 'Technology/Cloud Computing',
'location': 'Global',
'name': 'AWS Bedrock',
'size': 'Large',
'type': 'Cloud Service Provider'}],
'attack_vector': 'DNS Exfiltration',
'data_breach': {'data_exfiltration': 'Yes (via DNS queries)',
'personally_identifiable_information': 'Potential (if '
'targeted)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Passwords',
'Customer data',
'Amazon S3 storage data',
'Secrets Manager data']},
'date_detected': '2025-09',
'description': 'Cybersecurity researchers at Phantom Labs (the research arm '
'of BeyondTrust) uncovered a critical flaw in AWS Bedrock’s '
'AgentCore Code Interpreter, allowing attackers to bypass '
'AWS’s Sandbox mode and exfiltrate sensitive data via DNS '
'queries. The vulnerability enabled a proof-of-concept '
'command-and-control channel, encoding stolen information in '
'DNS subdomains to circumvent security controls.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'security flaw disclosure',
'data_compromised': 'Sensitive data (e.g., passwords, customer '
'data, Amazon S3 storage, Secrets Manager)',
'identity_theft_risk': 'High (if personally identifiable '
'information was exposed)',
'operational_impact': 'Potential unauthorized code execution, data '
'exfiltration, and infrastructure deletion',
'systems_affected': 'AWS Bedrock’s AgentCore Code Interpreter'},
'investigation_status': 'Publicly disclosed, no active patch',
'lessons_learned': 'AI-powered code execution environments require deeper '
'safeguards beyond perimeter-based controls. Traditional '
'defenses may fail against AI-driven threats, '
'necessitating proactive measures like deception-based '
'security and least-privilege access.',
'post_incident_analysis': {'corrective_actions': 'AWS chose documentation '
'updates over a patch. '
'Recommended actions include '
'VPC migration, '
'least-privilege IAM roles, '
'and deception-based '
'security.',
'root_causes': 'Insufficient isolation in AWS '
'Bedrock’s Sandbox mode, permitting '
'DNS-based exfiltration. '
'Overprivileged AI tool access and '
'reliance on third-party '
'libraries.'},
'recommendations': ['Migrate critical AgentCore instances from Sandbox to VPC '
'mode for stricter network isolation.',
'Enforce least-privilege IAM roles to limit AI tool '
'permissions.',
'Implement deception-based security (e.g., honey IAM '
'credentials, DNS sinkholes).',
'Monitor third-party libraries for supply chain attacks.',
'Enhance monitoring for DNS-based exfiltration attempts.'],
'references': [{'source': 'Phantom Labs (BeyondTrust)'},
{'source': 'Kinnaird McQuade (Lead Researcher)'},
{'source': 'AWS Documentation Update'}],
'response': {'communication_strategy': 'Public disclosure by Phantom Labs and '
'AWS documentation update',
'containment_measures': 'AWS initially patched the flaw in '
'November 2025 but withdrew the fix in '
'December 2025. Updated documentation to '
'warn users of the risk.',
'enhanced_monitoring': 'Recommended use of DNS sinkholes and '
'deception-based security',
'network_segmentation': 'Recommended migration from Sandbox to '
'VPC mode for stricter isolation',
'remediation_measures': 'AWS opted for documentation updates '
'instead of a new patch. Recommended '
'mitigations include migrating to VPC '
'mode and enforcing least-privilege IAM '
'roles.'},
'stakeholder_advisories': 'AWS updated documentation to warn users of the '
'risk. Security experts recommend proactive '
'mitigations.',
'title': 'AWS Bedrock Vulnerability Exposes Sensitive Data via DNS '
'Exfiltration',
'type': 'Data Exfiltration',
'vulnerability_exploited': 'AWS Bedrock’s AgentCore Code Interpreter Sandbox '
'Bypass'}