CBSE Portal Breach: A Teen Hacker's Security Wake-Up Call

The Central Board of Secondary Education (CBSE) is the apex national-level public education board in India, responsible for conducting Class 10 and Class 12 board examinations for millions of students annually. In 2026, the board introduced the On-Screen Marking (OSM) system for Class 12 board examinations — a digitised evaluation platform that allows examiners to log on to an online portal where scanned copies of students' answer sheets are assigned to them for digital evaluation.

The OSM system was developed and hosted by Coempt Edu Teck Pvt Ltd, a Hyderabad-based private technology firm, under a vendor contract with CBSE. The platform uses the proprietary OnMark system, which is also reportedly used by other educational institutions across India. The move was intended to streamline the evaluation process, reduce physical handling of answer scripts, and minimise human error.

However, from the very beginning of the OSM rollout, students and teachers reported widespread glitches — including wrong answer sheets being uploaded, payment system failures, OTP verification errors, and access issues during the re-evaluation process. These complaints set the stage for the cybersecurity scandal that would follow.

The exposure of a security vulnerability in the CBSE portal is not merely a technical issue; it's a matter of profound concern for millions of students and their families. For students aspiring to higher education, their academic records, personal information, and examination results are the bedrock of their future.

Any compromise of this data could lead to identity theft, academic fraud, or even impact their chances of admission to their desired colleges or universities. Beyond the individual impact, such breaches erode public trust in national educational institutions and digital systems.

Parents and students rely on these platforms to be secure custodians of sensitive information. In an era where online applications, digital mark sheets, and virtual counselling sessions are becoming the norm, ensuring the absolute integrity and privacy of student data is paramount.

This incident emphasizes the urgent need for continuous security audits, robust encryption, and proactive threat detection strategies to protect the digital identities and academic futures of our youth, fostering a safer environment for online education.

5.1 Hardcoded Master Password

The most critical flaw discovered was a master password hardcoded directly into the website's source code. This credential functioned as a universal bypass, allowing anyone who downloaded the publicly accessible code to gain direct access to the OSM evaluation dashboard without requiring standard OTP authentication. All an attacker needed was a target's user ID and school code — both of which are publicly accessible — plus this master password to impersonate any examiner on the system.

5.2 CRUD and Shell Access to Production Servers

By exploiting the vulnerabilities, Adhikary obtained full CRUD (Create, Read, Update, Delete) access and Shell access to CBSE's production servers. CRUD access means the ability to fully control all data in the database — creating new records, reading existing data, modifying grades or records, and deleting data entirely. Shell/SSH access is even more serious, as it grants direct command-line control over the server itself, enabling an attacker to install software, exfiltrate data, or shut down services.

5.3 Improper Cloud Storage Configuration

Adhikary found that CBSE's cloud storage was improperly configured, exposing sensitive examination records — including scanned answer sheets and question papers from the 2026 examination cycle — to unauthorised access and download without any authentication. The same storage infrastructure was reportedly used by multiple educational institutions, multiplying the potential scope of exposure.

5.4 Bypassing OTP Authentication

The OSM portal's OTP-based second-factor authentication could be bypassed entirely using the master password, meaning the standard multi-step security check provided no real protection. An attacker could log in as any examiner, freely view and edit marks, alter evaluations, or delete data.

5.5 Personally Identifiable Information (PII) Leak

Multiple categories of PII were found exposed, including students' marks, names, email addresses, phone numbers, and personal details of evaluators involved in the marking process. On May 31, 2026 — even after CBSE's acknowledgment — Adhikary reported discovering another live production portal with what he described as a massive PII leak, indicating the vulnerabilities extended beyond the initially identified systems.

5.6 Super Admin Access on Subdomain

In addition to the main domain, Adhikary gained super admin access to another subdomain — onmark.co.in — which he believed was used for exam evaluation at multiple universities, not just CBSE, expanding the potential impact of the breach significantly.

Researcher Sarthak Sidhant's May 30 blog post revealed a pattern of alleged irregularities in how CBSE selected Coempt Edu Teck as its OSM vendor. As a public institution, CBSE is required to invite competitive bids through a transparent Request for Proposal (RFP) process.

However, Sidhant found that several critical clauses were altered or removed in a manner that appeared to benefit Coempt directly:

• History Clauses Removed: Clauses related to company history — specifically those disqualifying vendors with a track record of not meeting contractual obligations, financial failures, or abandoning work — were wiped out from the RFP.
• CMMI Level Reduced: The required Capability Maturity Model Integration (CMMI) level was reduced from 5 (highest standard in software engineering quality) to 3, significantly lowering the security and quality bar for the vendor's software development processes.
• Scanner Quality Lowered: Scanner quality standards were also lowered, which directly relates to the quality and integrity of scanned answer sheets.
• Prior Controversy Record: Coempt Edu Teck has previously been linked to the 2019 Telangana State Board Examination controversy, in which serious issues with digital evaluation were reported.

These findings raised serious questions about procurement integrity and whether India's most important examination board followed due diligence in selecting the technology vendor entrusted with millions of students' academic records.

7.1 CBSE's Initial Denial (May 26, 2026)

CBSE initially issued an official clarification on X (Twitter) claiming that the system accessed by Adhikary was a test environment containing only dummy data, not the live production platform. The board's Regional Head Rajesh Kumar Gupta went further, stating on camera to news agency IANS: "Regarding your question about the website being hacked, I completely deny it. I am rejecting this allegation outright. Because exams are being conducted offline so there are no questions of website being hacked."

7.2 CBSE's Official Acknowledgment (June 1, 2026)

7.3 Cybersecurity Expert Analysis

Srinivas L, Joint Managing Director and Joint CEO of 63SATS Cybertech, analysed the DoS attack on CBSE's re-evaluation portal as a coordinated, two-pronged operation — where the service disruption attack likely served as a smokescreen while attackers simultaneously probed the system for sensitive files. While crediting CBSE for keeping the portal operational, he cautioned that India's examination infrastructure cannot depend on reactive security measures and must be designed to withstand cyber threats from the ground up, particularly when handling sensitive student data.

8.1 Data Potentially Exposed

• Answer Scripts: Scanned answer sheets and question papers from CBSE Class 12 Board Examinations 2026
• Student Marks: Student marks, grades, and academic records accessible and modifiable without authorisation
• Student PII: Personally Identifiable Information (PII) of students — including names, email IDs, phone numbers, and other identifying details
• Examiner Data: PII of evaluators (examiners) involved in the marking process
• Multi-Institution Data: Institutional data of universities and other educational institutions using the same OnMark infrastructure

8.2 Possible Harms That Could Have Occurred

• Unauthorised modification or deletion of student marks and evaluation records
• Identity theft of students and examiners using leaked PII
• Defacement of CBSE's official web presence (partially demonstrated as proof)
• Targeted cyberattacks on evaluators using their exposed contact information
• Large-scale data exfiltration of confidential examination material
• Disruption of the entire re-evaluation and verification process for thousands of students

8.3 Re-Evaluation Portal: Cyber Attack Statistics

Key Statistics

• 1.5 Million — DoS Attack Hits in 2 Minutes
• 1 Lakh+ — Unauthorized File Access Attempts
• 16,000+ — Successful Student Submissions Despite the Attacks

CERT-In (Indian Computer Emergency Response Team), operating under the Ministry of Electronics and Information Technology (MeitY), is India's national nodal agency responsible for responding to cybersecurity incidents, issuing advisories, and protecting critical digital infrastructure. The agency is constituted under Section 70B of the Information Technology Act, 2000.

The CBSE portal incident represents a serious institutional failure: Adhikary first reported the vulnerabilities to CERT-In on February 25, 2026 — more than three months before his public disclosure on May 22. During this period, he followed up multiple times. CERT-In sent a single acknowledgment that the matter would be looked into, then went completely silent. No remedial action was taken, no advisory was issued, and CBSE was apparently never meaningfully notified to secure its systems during this window.

10.1 Institutional Accountability

The CBSE portal hack is not an isolated incident but part of a broader pattern of cybersecurity neglect in India's public education infrastructure. It follows the NEET 2024 examination leak controversy and the CUET technical glitches, highlighting systemic weaknesses in how educational data is protected and managed. The willingness of officials to publicly deny clear evidence — followed by an acknowledgment only after proof went viral — raises serious concerns about institutional transparency and accountability.

10.2 Student Welfare at Stake

For Class 12 students, board examination results are life-defining — determining college admissions, scholarship eligibility, and future opportunities. The ability of an unauthorised actor to modify, delete, or leak answer sheets and marks is not a theoretical risk; it is an existential threat to the fairness of examinations that govern the futures of millions of young Indians.

10.3 Vendor Selection Integrity

The findings of researcher Sarthak Sidhant regarding CBSE's alleged manipulation of its own tender process to favour Coempt Edu Teck — a vendor with a prior controversy record and reduced technical certifications — demand independent investigation. If proven, this would constitute a serious breach of public procurement norms and fiduciary duty by CBSE.

10.4 The Role of Ethical Hackers

The CBSE incident underscores the vital role that ethical hackers and student researchers can play in protecting public digital infrastructure. Both Adhikary and Sidhant are students who recently completed their Class 12 examinations — the very examinations affected by these vulnerabilities. Their actions — responsible disclosure followed by public exposure only after institutional failure — represent a model of civic engagement that India's cybersecurity ecosystem needs to embrace rather than resist.

• Expert Team Deployed: Deployed an expert team of cybersecurity professionals from various arms of the government and IITs to assess and secure the OSM portal
• Infrastructure Migration: Migrating the portal to a more secure infrastructure setup
• Vulnerabilities Contained: Confirmed that identified vulnerabilities have been contained and are actively ruling out other exploitable weaknesses
• Reporting Channel Created: Established a direct reporting channel for ethical hackers and alert citizens: cert@cbse.gov.in
• Portal Improvements: Extended session time limits on the re-evaluation portal based on student feedback and maintained 8,000+ concurrent user support
• Ongoing Vigilance: Stated that teams remain vigilant and responsive to further threats

The CBSE On-Screen Marking portal hack of 2026 is a landmark cybersecurity incident that exposed deep vulnerabilities in India's public examination infrastructure.

The failure spans multiple layers:

• CBSE failed to implement basic security hygiene — a hardcoded master password in a system handling millions of student records is an inexcusable lapse.
• CERT-In failed in its fundamental mandate by ignoring credible, specific, and timely vulnerability disclosures for over three months.
• CBSE officials compounded the damage through public denial of evidence, eroding institutional credibility.
• Procurement irregularities, if proven, suggest the system's weaknesses may not be accidental.

Conversely, the incident demonstrated the power of citizen cybersecurity research. Two students, aged 18 and 19, accomplished what India's official cybersecurity apparatus failed to do: bring a critical national vulnerability to light and force remedial action. CBSE's eventual expression of gratitude toward ethical hackers is a step in the right direction, but meaningful reform requires structural changes — not just emergency patches.