AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE
Why it matters: DNS‑based C2 defeats sandbox promises, exposing cloud AI workloads to data breaches.
- BeyondTrust reveals sandbox mode in Amazon Bedrock AgentCore Code Interpreter permits DNS queries, breaking promised network isolation (CVSS 7.5).
- Amazon classifies the DNS capability as intended functionality, urging customers to switch to VPC mode and deploy DNS firewalls for true isolation.
- Sectigo stresses that over‑privileged IAM roles can amplify data exposure, recommending inventory and migration of critical workloads.
- Key Detail: Attackers can use DNS A‑record lookups for bidirectional C2, delivering payloads and exfiltrating data from linked AWS resources like S3.
BeyondTrust researchers discovered that Amazon Bedrock's AgentCore Code Interpreter sandbox permits outbound DNS queries, enabling attackers to establish command‑and‑control channels, exfiltrate data, and achieve remote code execution. Amazon says this behavior is intentional and advises moving to VPC mode and using DNS firewalls, while security experts warn that over‑privileged IAM roles amplify the risk.
