(file photo)Member of National Students’ Union of India (NSUI) during a protest against the Central Board of Secondary Education (CBSE) over discrepancies and technical glitches in the On-Screen Marking (OSM) system, in New Delhi | Photo Credit: SHIV KUMAR PUSHPAKAR
Days after asserting that its online answer-sheet evaluation system had been “neither compromised nor suffered from the vulnerabilities” flagged by cybersecurity researchers, the Central Board of Secondary Education (CBSE) on Sunday acknowledged that weaknesses had been identified in the OnMark portal operated by its service provider and said they had been contained.
In a statement posted on X, the Board said: “We have been closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain. An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well as the IITs to fortify these systems, including taking them over to a more secure set up. The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out.”
The Board also said: “We are grateful to all alert citizens and ethical hackers pointing out such weaknesses, and have gotten in touch with some of them directly. We request any others to reach out to our security teams at secy-cbse@nic.in for any further inputs.”
ethical hacker’s reply
However, 19-year-old ethical hacker Nisarga Adhikary, who has been publicly flagging alleged security flaws in the system, disputed CBSE’s assertion that it had reached out to those raising concerns.
“I’ve mailed their security team hours back,” Adhikary told businessline. “haven’t heard back.”
He added: “no one contacted me” and alleged that “they are still being dishonest and deceiving”.
In his post on X on Sunday, Adhikary alleged that an AWS bucket containing 2026 answer sheets and question papers could be accessed without authorisation.
“CBSE people didn’t configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers. ListObjectsV2 works without any auth and the bucket root is listable too — anyone on the internet can download any scanned booklet — across institutions. Multiple institutions are using the same bucket, insanely insecure. (sic),” he said.
CBSE did not specifically address these latest allegations but maintained that the vulnerabilities identified in the system had been contained and that checks were underway to rule out other exploitable weaknesses.
Published on May 31, 2026
aniltikotekar4sme.com 