Indian Exam Board Admits to Cybersecurity Flaws Found by Teen Researcher

India's apex education board, the Central Board of Secondary Education (CBSE), has officially acknowledged critical vulnerabilities in its digital grading infrastructure, validating the claims of a 19-year-old cybersecurity researcher. The admission marks a sharp reversal for the board, which initially dismissed the reported flaws as isolated to a testing environment and denied any risk to live student data. The incident has exposed the fragility of the digital systems used to evaluate one of the country's most important school-leaving examinations, raising alarm among millions of students and parents. The breach highlights a systemic failure within Indian institutions to act on responsible cybersecurity disclosures, as the vulnerabilities were reportedly ignored for months before public pressure forced the board's hand.[2][4][7][8][11]

The controversy centers on the discoveries of Bengaluru-based student researcher Nisarga Adhikary, who probed the security of the CBSE's On-Screen Marking (OSM) portal. Introduced to modernize the evaluation process, the OSM system allows teachers to log into a web-based platform to digitally grade scanned copies of students' physical answer sheets. In February 2026, Adhikary discovered that the portal suffered from elementary security failures that compromised its core functionality. Most alarmingly, the researcher found a master password hardcoded directly into the website's source code, a rudimentary error that provided a skeleton key to bypass standard security protocols. This discovery was the first thread in a larger web of vulnerabilities that threatened the entire evaluation ecosystem.[2][3][4][7]

The technical details of the disclosure paint a picture of a system lacking fundamental modern security safeguards. According to Adhikary's technical breakdown, the portal relied on insecure client-side validation for its One-Time Password (OTP) verification process. Because parts of the authentication logic were executed on the user's browser rather than being fully validated on the secure server, the multi-step security check provided no real protection. By manipulating browser storage or session parameters, an attacker could theoretically bypass the OTP requirement entirely, using the hardcoded master password to gain unauthorized entry into the system. Furthermore, internal routes of the application lacked proper access restrictions, leaving sensitive dashboard and evaluation pages exposed.[2][3]

Beyond the login portal itself, Adhikary discovered that the CBSE's cloud storage infrastructure was severely misconfigured. This misconfiguration left highly sensitive examination records—including scanned answer sheets and question papers from the active 2026 examination cycle—exposed to the public internet. The files could be accessed and downloaded without requiring any authentication or login credentials. The researcher noted that the same flawed storage infrastructure was reportedly being utilized by multiple educational institutions, multiplying the potential scope of the data exposure. This meant that the vulnerability was not just a theoretical gateway, but an open door to the raw data that dictates the academic futures of millions of Indian students.[2][6][10]

The combination of these authentication bypasses and storage misconfigurations created a worst-case scenario for the examination board. Security experts noted that an attacker could leverage these flaws to achieve a full takeover of an examiner's account. Once inside the system with administrative or evaluator privileges, a malicious actor could view assigned answer scripts, modify students' marks, and severely disrupt the grading process. Adhikary also claimed to have gained access to personally identifiable information (PII) connected to the evaluators themselves, including names, email addresses, and phone numbers, further compounding the severity of the breach. The potential for untraceable tampering struck at the very heart of the board's mandate to provide fair and accurate evaluations.[4][6][8][9]

Despite the severity of the findings, the institutional response was characterized by prolonged inaction. Adhikary followed standard responsible disclosure protocols, compiling technical evidence, walkthroughs, and supporting documentation detailing five critical vulnerabilities. He submitted this dossier to the Indian Computer Emergency Response Team (CERT-In), the national nodal agency for cybersecurity, on February 25, 2026. While CERT-In acknowledged the disclosure with a standard automated email, no remedial action was taken. For over three months, the vulnerabilities remained unpatched on the live production servers, leaving the examination data of millions of students silently exposed while the board continued its evaluation processes.[2][3][4][5][7]

Frustrated by the institutional silence and the ongoing risk to student data, Adhikary decided to force the issue into the public domain. On May 22, he published a detailed blog post outlining his findings and the timeline of his ignored disclosures. The situation escalated rapidly on May 26 when tech entrepreneur Deedy Das amplified the researcher's claims on the social media platform X. Das called the security lapses an "absolute embarrassment" and highlighted the terrifying reality that the vulnerabilities could have allowed someone to "view and CHANGE any students' marks". The viral post ignited a firestorm of criticism from cybersecurity experts, students, and parents, transforming a quiet technical disclosure into a national scandal.[3][4][7]

As the controversy gained traction online, the CBSE's initial instinct was to deny the severity of the breach. On May 26, the board issued an official clarification on X, claiming that the system accessed by Adhikary was merely a test environment containing dummy data, not the live production platform used for actual grading. The board emphatically stated that "no security breaches have come to light on the portal deployed for the actual evaluation work," attempting to reassure the public that the integrity of the ongoing results processing remained intact. This defensive posture, however, quickly unraveled as the researcher provided further evidence contradicting the board's official narrative.[2][6][8][11]

To counter the board's denial, Adhikary revealed the true extent of his access, demonstrating that he had obtained what cybersecurity experts refer to as "write access" to the CBSE's live production servers. "Yes, I could write into their servers and upload my own pages there and deface their pages and so on," Adhikary stated. As proof, he pointed to an earlier instance where he and other researchers had successfully embedded and played the viral "Bad Apple" video directly on a live CBSE production website. This undeniable technical evidence proved that unauthorized content could be uploaded to the live system, thoroughly dismantling the board's claim that the vulnerabilities were confined to a harmless testing environment.[6]

Faced with mounting public pressure and irrefutable technical proof, the CBSE finally capitulated on June 1, 2026. In a stark reversal of its previous stance, the board released a statement admitting it was "closely monitoring" the weaknesses in the OnMark portal of its service provider. The CBSE confirmed that the identified vulnerabilities had been contained and that other exploitable weaknesses were being actively ruled out. In a notable shift in tone, the board expressed gratitude to "alert citizens and ethical hackers" for pointing out the flaws, acknowledging that they had gotten in touch with some of the researchers directly to address the crisis.[2][4][5][8][11]

To secure the compromised infrastructure and restore public trust, the CBSE initiated an emergency remediation effort. The board announced the deployment of a specialized team of cybersecurity professionals drawn from various government agencies and the prestigious Indian Institutes of Technology (IITs). Over several days, these experts worked to fortify the grading systems and migrate the entire portal to a "more secure set up". While the immediate technical holes have been plugged, the reliance on an external task force to secure a fundamental piece of national infrastructure has raised ongoing questions about the CBSE's internal technical capabilities and its oversight of third-party vendors.[5][9][11]

The cybersecurity debacle arrives at a particularly fraught moment for India's education sector, compounding existing anxieties about the integrity of national examinations. The incident coincides with widespread student complaints regarding the re-evaluation process for the Class 12 exams. Thousands of students alleged that the physical answer sheets they received upon request differed from the digital copies provided by the board, while others reported portal crashes, payment glitches, and incorrect marks. The revelation that the digital grading portal was fundamentally insecure has validated these suspicions, leading many to question whether the reported discrepancies were the result of technical errors or malicious tampering.[8][9]

The technical failings have also cast a harsh spotlight on the CBSE's procurement and vendor selection processes. The controversy deepened when another teenage researcher, 18-year-old Sarthak Sidhant, publicly alleged that the board had modified tender requirements in a manner that favored Coempt Edu Teck, the vendor responsible for the portal. Sidhant pointed out that the vendor had previously faced examination-related controversies, raising serious questions about institutional transparency and the criteria used to award critical infrastructure contracts. The allegations suggest that the cybersecurity failures may be symptomatic of deeper administrative and procedural flaws within the education board.[2]

The stakes of these vulnerabilities cannot be overstated in the context of the Indian education system. The Class 12 board exams serve as the primary, high-pressure gateway for university admissions and future career prospects, with approximately 1.8 million students taking the tests this year. Over 400,000 of these students applied for scanned copies of their answer sheets, highlighting the immense anxiety surrounding the grading process. The integrity of these results is paramount; any perception that the system can be easily hacked or manipulated threatens to undermine the meritocratic foundation of higher education admissions across the country.[5][8][9]

Ultimately, the incident serves as a watershed moment for how Indian government institutions handle cybersecurity and interact with the independent research community. The three-month delay between Adhikary's initial disclosure to CERT-In and the CBSE's public admission highlights a dangerous bottleneck in the country's cyber defense posture. While the board eventually thanked the ethical hackers, the fact that a 19-year-old had to trigger a viral social media scandal to force the patching of critical national infrastructure indicates that systemic reforms are urgently needed to protect the digital futures of India's students.[2][7][9]