Ethical hacker, CBSE lock horns over board exam portal vulnerability

CBSE said “no security breaches have come to light on the portal deployed for the actual evaluation work”

| Photo Credit:

Ethical hacker Nisarga Adhikary on Tuesday disputed the Central Board of Secondary Education (CBSE)’s clarification that no production data had been compromised in its On-Screen Marking (OSM) system, asserting that he had accessed non-test user data and had visual proof, including screen recordings, to back his allegations. Adhikary had earlier given visual proof of having exposed the vulnerabilities in the CBSE’s OSM system for Class 12 board examination.The CBSE maintained that the portal referenced in Adhikary’s social media posts was not the one used for actual evaluation work. In a statement posted on X, the Board said the URL which Adhikary said he had hacked into, http://cbse.onmarks.co.in, was “a testing site only with sample data for internal testing and review purposes”, and did not contain “actual evaluation data, marks or other data”.“At the outset, it is clarified that the portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post,” said the Board.CBSE added that “no security breaches have come to light on the portal deployed for the actual evaluation work”, and said the OSM system had been introduced to improve transparency in assessments while incorporating strong safeguards and grievance redressal mechanisms.Questioning CBSE’s clarification that the accessed portal was merely a testing site with sample data, Adhikary said: “Then how was I able to access production data on that site? All of the mirrors you had under the onmark domain had the same vulnerabilities.”He also shared screenshots on X countering the Board’s claims, and alleged that the vulnerabilities extended beyond the removal of a so-called master password. He further asserted that the domain cited by CBSE in its clarification was “not even a real domain”.In an interview with businessline, Adhikary said he had documented the entire process and reported the issue to the Indian Computer Emergency Response Team (CERT-In). “I recorded the entire process and flagged it to CERT-In. Their response was an automated ‘Thank you for reporting’. A few days later, I reported five additional vulnerabilities. In response, they took the portal down for two or three days, removed the Master Password, and called it a day. But the remaining flaws were just as severe, and they left them completely untouched,” he alleged.Meanwhile, highly placed sources in the Ministry of Electronics and Information Technology (MeitY) told businessline that the government was supporting CBSE in addressing the matter. “CBSE is working on this and we are giving whatever support they need. CBSE is working with all its vendors on this. CERT-In has also played its role, but it is the CBSE which has to solve the issue now. We in MeitY are taking all the steps required for cybersecurity,” said a source.digital systemsThe controversy comes amid heightened concern over cybersecurity preparedness in critical digital systems. CERT-In has recently directed organisations to resolve vulnerabilities in critical systems within 12 hours of detection “where feasible”, citing the growing threat of AI-assisted cyberattacks.“In this evolving threat environment, organisations should adopt adaptive, intelligence-driven, continuously validated and resilience-oriented cybersecurity practices, rather than relying solely on static controls or periodic compliance-driven assessments,” said CERT-In in its recent advisory.It added that “continuous monitoring, rapid remediation, adaptive defence and coordinated cybersecurity preparedness are essential for strengthening resilience against evolving AI-assisted cyber threats and enhancing trust in India’s digital ecosystem.”Published on May 26, 2026