A 19-year-old ethical hacker and recent Class 12 student, Nisarga Adhikary, exposed serious vulnerabilities in the Central Board of Secondary Education On-Screen Marking (OSM) portal used for digital evaluation of answer sheets.
The flaws allegedly enabled unauthorized access, examiner impersonation, password resets, and possible manipulation of marks.
Nisarga Adhikary claimed he identified the issues in February 2026, including hardcoded passwords, insecure OTP validation, and IDOR vulnerabilities.
He reportedly shared technical evidence with CERT-In through a responsible disclosure process.
However, corrective action and public clarification took several months.
The incident exposed broader weaknesses in India’s public-sector cybersecurity response.
Experts cite bureaucratic approval chains, coordination gaps between government agencies and vendors, and shortage of skilled cybersecurity professionals as major reasons for delayed remediation.
CBSE clarified that the vulnerabilities were linked to a testing environment containing dummy data and not the live production system.
The board stated that no student marks or official records were compromised.
Despite the clarification, the case highlights the urgent need for faster vulnerability response frameworks, continuous security audits, stronger accountability, and proactive cybersecurity governance across India’s rapidly expanding digital infrastructure.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
