UNIT 42 details how the AWS Bedrock AgentCore Code Interpreter sandbox could be bypassed, enabling DNS tunnelling to transmit data from inside the sandbox and potentially establish bidirectional C2 communication.
The researchers demonstrated that the sandbox’s MMDS endpoint accepted unauthenticated HTTP GET requests, allowing retrieval of credentials in a scenario where the sandbox was supposed to block external access, and they uncovered two undocumented MMDS endpoints exposing a pre-signed S3 URL and a KMS Key ID.
They also showed that DNS queries could reach internal and external domains, creating a data-exfiltration channel through DNS tunnelling, and they used a PoC involving a domain they controlled to prove the concept.
AWS subsequently updated the developer guides, clarified sandbox capabilities, and, as of 14 February 2026, set MMDSv2 as the default for new agents, with v1 still available for existing setups in some tools; customers are advised to use VPC mode or enable Route 53 Resolver DNS Firewall for mitigation, according to AWS.
The piece concludes that the sandbox is not an absolute security boundary and highlights risks around credential exposure and potential abuse of an internal logging workflow, with a timeline detailing disclosures from 17 November 2025 to 14 February 2026.