BeyondTrust researchers said in a blog post that AWS acknowledged the report and reproduced the issue during the disclosure process, but ultimately chose not to patch the behavior, calling it an “intended functionality rather than a defect.”
The “allowed” DNS path breaks isolation
The issue is that the sandbox environment permits outbound DNS queries, which can be manipulated to create a bidirectional communication channel between the AI agent and an external attacker-controlled server. By encoding data into DNS queries and responses, BeyondTrust’s Phantom Labs team demonstrated exfiltrating data and even establishing an interactive reverse shell, without triggering any network restrictions.
“The (vulnerable) environment permits outbound DNS queries for A and AAAA records, a structural allowance that threat actors can exploit to establish a bidirectional command-and-control channel,” said Jason Soroko, senior fellow at Sectigo. Once that channel is in place, the rest becomes a question of permissions. If the agent is operating with overly broad IAM roles, the blast radius expands quickly.
