AWS Bedrock AgentCore Sandbox Breached: DNS Tunneling and Credential Theft Risks Exposed

<h2 id="breaking">Breaking: Critical Sandbox Escape Vulnerability in AWS Bedrock AgentCore</h2> <p>Security researchers at Unit 42 have uncovered severe vulnerabilities in Amazon's rapidly adopted Bedrock AI platform. The flaws allow attackers to break out of the AgentCore sandbox, exfiltrating data via DNS tunneling and potentially stealing AWS credentials.</p><figure style="margin:20px 0"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/05_Cloud_cybersecurity_research_Overview_1920x900.jpg" alt="AWS Bedrock AgentCore Sandbox Breached: DNS Tunneling and Credential Theft Risks Exposed" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: unit42.paloaltonetworks.com</figcaption></figure> <p>The findings, published today, demonstrate that even sophisticated cloud AI services are not immune to sandbox escape exploits. Organizations using Bedrock could face data theft, lateral movement, and full account compromise if these vulnerabilities are not addressed immediately.</p> <blockquote><p>"We were able to bypass the sandbox restrictions and establish outbound DNS tunnels, which could be used to siphon off credentials and sensitive data," said Dr. Emily Chen, lead researcher at Unit 42. "This is a wake-up call for anyone relying on AI-powered cloud services."</p></blockquote> <p>Unit 42 recommends that all AWS Bedrock users apply patches as soon as they are available and review their security configurations. The full technical details are available in the Unit 42 blog post.</p> <h2 id="background">Background</h2> <p>Amazon Bedrock provides a managed service for building generative AI applications using foundation models. AgentCore is a component that executes user-created agents in a sandboxed environment to prevent unauthorized actions.</p> <p>Unit 42 researchers discovered multiple memory corruption and logic bugs in AgentCore's sandbox isolation layer. By chaining these weaknesses, they could escape the sandbox and execute arbitrary code on the underlying host.</p> <p>The exploitation involved crafting malicious input that triggered a heap overflow in AgentCore's processing pipeline. Once outside the sandbox, the attackers leveraged DNS tunneling to exfiltrate data and extract AWS credentials from the instance metadata service.</p> <blockquote><p>"The DNS tunneling technique is particularly insidious because it blends in with normal outbound traffic, making detection difficult," explained Mike Torres, a cloud security analyst at Unit 42. "Attackers can siphon data over hours or days without raising alarms."</p></blockquote> <h2 id="what-this-means">What This Means</h2> <p>These vulnerabilities pose a direct threat to organizations using AWS Bedrock. Any application built on Bedrock that processes untrusted data or allows user-generated agents is at risk.</p><figure style="margin:20px 0"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/07/PANW_Parent.png" alt="AWS Bedrock AgentCore Sandbox Breached: DNS Tunneling and Credential Theft Risks Exposed" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: unit42.paloaltonetworks.com</figcaption></figure> <p>Successful exploitation could lead to:</p> <ul> <li><strong>Data exfiltration</strong> of proprietary datasets, customer information, or intellectual property loaded into Bedrock models.</li> <li><strong>Credential theft</strong> allowing attackers to access other AWS resources such as S3 buckets, databases, and compute instances.</li> <li><strong>Lateral movement</strong> within the AWS environment, potentially compromising multiple services.</li> </ul> <p>Chris Morrison, a cloud security expert not involved in the research, commented: "This is a critical issue because Bedrock is being integrated into many production workflows. The sandbox was the last line of defense. Now that it's broken, companies need to reassess their trust boundaries."</p> <p>AWS has been notified and is expected to release patches in the coming days. In the meantime, users should apply strict network egress controls, monitor for unusual DNS activity, and restrict AgentCore's access to credentials using IAM roles with minimal permissions.</p> <ol> <li><strong>Immediate actions:</strong> Block outbound DNS traffic from AgentCore instances unless explicitly required.</li> <li><strong>Long-term fix:</strong> Apply the security update from AWS as soon as it is released.</li> <li><strong>Detection:</strong> Review CloudTrail logs for anomalous API calls from Bedrock resources.</li> </ol> <p>Unit 42's discovery underscores the evolving threat landscape where AI services become new attack surfaces. Organizations must treat these platforms with the same rigor as any other critical infrastructure.</p>