A young ethical hacker, Nisarga Adhikary, has exposed a glaring vulnerability in India’s digital education infrastructure, demonstrating that a crucial Central Board of Secondary Education (CBSE) portal was left wide open to manipulation. As part of its ‘Digital India’ push, the CBSE recently transitioned to an online On-Screen Marking (OSM) system for Class 12 board exams, where examiners log in to evaluate scanned answer scripts. However, a major security failure by the system’s developer, Hyderabad-based Coempt EduTeck Pvt Ltd, left the platform so exposed that virtually anyone could have hacked in to alter student answer sheets. The security breakdown is compounded by a sluggish official response. When Adhikary discovered the flaws on February 25, 2026, he immediately alerted the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology (MeitY). Despite the high stakes, he received only a generic “Thank you” acknowledgement. Months after no corrective action was taken to secure the platform, Adhikary went public, detailing the vulnerabilities in a May 22 blog post. In an exclusive interview with businessline, Adhikary breaks down how he breached the system and the deeper institutional apathy that followed. Edited excerpts:How did you get to know about the vulnerabilities of the CBSE portal? What kind of response did you get from CERT-In when you pointed out the vulnerabilities?Back on February 25, while my own Class 12 Board exams were underway, CBSE announced that evaluation would be entirely digital. Out of sheer curiosity, I started looking into how the system worked. I opened the portal and began analyzing it. Because I didn’t have a login ID or password, I couldn't send standard requests, but I managed to extract the source code. That is when I discovered a hardcoded 'Master Password' that could bypass all authentication, regardless of the user ID. I found a valid user ID, paired it with the Master Password, and immediately gained access to the main dashboard where I could actively edit students' marks. I recorded the entire process and flagged it to CERT-In. Their response was a automated "Thank you for reporting”. A few days later, I reported five additional vulnerabilities. In response, they took the portal down for two or three days, removed the Master Password, and called it a day. But the remaining flaws were just as severe, and they left them completely untouched. That is why I decided to go public.How easy was it hack into the system?I have been doing ethical hacking for a long long time now. I am 19 now but when I was in sixth or seventh grade, I started experimenting with it. It is really easy for me and it will be just as easy for anyone, even those who have never tried hacking before, because it was just a really easy mistake on their side, lazy engineering and really bad at what they did.What about this company that had developed this website, did you tell them their mistakes?Yes, I also contacted the company. But they did not reply. Actually, this company has a bad track record. They used to be known as something else in 2019, and they did a similar kind of goof-up and it resulted in major howlers, students committing suicides. I think it was Telangana State Board exams.So what is your message to the government or authorities because such incidents keep happening now and youngsters are suffering?I just hope that they take us a little bit seriously. This has happened because of their negligence. This needs to be audited properly by them. I reported it several times, urging them to take it seriously. I just hope they become a little more serious and they start caring more about cybersecurity and data privacy. We’re also seen a lot of leaks happening in India, and government didn’t take any action and that is serious negligence.Going forward, what kind of future do you see for yourself? What do you want to pursue as a career?I want to be an engineer...cybersecurity is just a hobby for me. I’ll do engineering. I also did many internships and jobs in the past, mostly in software-related roles.Published on May 26, 2026