Apache Spark - Authentication Bypass (CVE-2020-9480)

CVE-2020-9480 is a critical vulnerability in Apache Spark 2.4.5 and earlier that allows unauthenticated attackers to bypass authentication on standalone resource manager masters. By sending specially-crafted RPC requests, attackers can start application resources and execute arbitrary shell commands on the host machine, potentially leading to full system compromise. This issue does not affect Spark clusters managed by YARN, Mesos, or other resource managers.

CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.

CrowdSec network observations suggest that most exploitation of CVE-2020-9480 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. CrowdSec network telemetry also shows that exploitation of CVE-2020-9480 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit the Apache Spark REST API by sending crafted POST requests to the /v1/submissions/create endpoint, bypassing authentication to execute arbitrary commands or deploy malicious applications on the cluster. This activity targets Spark Master nodes typically running on port 6066.