Apache Spark - Authentication Bypass (CVE-2020-9480)

CVE-2020-9480 is a critical vulnerability in Apache Spark 2.4.5 and earlier that allows unauthenticated attackers to bypass authentication on standalone resource manager masters. By sending specially-crafted RPC requests, attackers can start application resources and execute arbitrary shell commands on the host machine, potentially leading to full system compromise. This issue does not affect Spark clusters managed by YARN, Mesos, or other resource managers.

CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2020-9480 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. CrowdSec data also reveals a clear uptick in attacks involving CVE-2020-9480 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit the Apache Spark REST API by sending crafted POST requests to the /v1/submissions/create endpoint, bypassing authentication to execute arbitrary commands or deploy malicious applications on the cluster. This activity targets Spark Master nodes typically running on port 6066.