- 03 June, 2026
June 3, 2026: A student cybersecurity researcher who had earlier highlighted alleged vulnerabilities in the Central Board of Secondary Education's (CBSE) online evaluation system has claimed that gaining control access to the board's servers was "child's play", enabling him to modify website content and upload files.
Nisarga Adhikary, who has been among the key figures in the controversy surrounding the CBSE's On-Screen Marking (OSM) system, told The Telegraph Online that he had obtained what cybersecurity experts refer to as "write access" to CBSE servers.
"Yes, I could write into their servers and upload my own pages there and deface their pages and so on," Adhikary said in an email response.
As proof of the extent of access he claims to have secured, Adhikary referred to an earlier social media post in which he stated that he and others had managed to play the viral Bad Apple video on a CBSE production website. The post appeared to indicate that unauthorised content could be uploaded or embedded on a live CBSE system.
The researcher further alleged that the vulnerabilities extended well beyond website access. According to him, weaknesses in CBSE's cloud storage configuration exposed sensitive examination records, including scanned answer sheets and question papers from the 2026 examination cycle.
In a previous social media post, Adhikary claimed that the storage system had been improperly configured, allowing examination-related files to be accessed and downloaded without authorisation. He alleged that the same storage infrastructure was being utilised by multiple institutions.
Adhikary also claimed that he had gained access to students' marks and personally identifiable information (PII) connected to evaluators involved in the marking process. According to him, the exposed data extended beyond examination scores and included records containing personal details of evaluators. PII generally refers to information such as names, email addresses, phone numbers and other identifying details.
Referring to the possible consequences of the alleged vulnerabilities, Adhikary claimed they could have enabled unauthorised access to personal information, manipulation of marks and even deletion of data from affected systems. He alleged that the systems lacked even basic security measures and stated that the flaws were comparatively easy to identify and exploit.
He also cited findings published on his blog, where he alleged that a password capable of bypassing the portal's standard security checks had been embedded within the website's code. According to Adhikary, the credential functioned as a "master password" that could provide direct access to the evaluation dashboard without undergoing the usual OTP authentication process.
Referring to CBSE’s earlier assertion that the systems accessed by the ethical hacker were test environments containing dummy data rather than the live evaluation platform, Nisarga said, “Yes, they themselves have agreed later that they were indeed compromised.”
The board, while acknowledging the existence of vulnerabilities, later stated that the issues had been contained and resolved. The 19-year-old also reiterated that both CBSE and Coempt, the company at the centre of the controversy, are “very unresponsive — even till today.”
The CBSE on Tuesday launched its online portal for verification of issues observed in scanned copies of answer books and for re-evaluation of answers for students dissatisfied with their board examination assessment.
The board, however, stated that "malicious actors" attempted to disrupt services on the portal through a series of cyberattacks, including a denial-of-service (DoS) attack that generated 1.5 million hits within two minutes and more than one lakh attempts at unauthorised file access.
"While thousands of students accessed the CBSE re-evaluation portal today, malicious actors attempted to disrupt services through a barrage of cyberattacks," the board said in a post on X.
"The most recent being a denial of service (DoS) attack attempt causing 1.5 million hits on the portal within a matter of 2 minutes and more than 1 lakh attempts of unauthorised file access," it added.
The board stated that the portal was supporting more than 8,000 concurrent users and that over 16,000 students had completed their submissions as of 3 pm.
Based on feedback received from students, the CBSE said it had further refined the platform, including extending session time limits to make the process more convenient. "Our teams remain vigilant and responsive to ensure our dearest students are facilitated in all ways possible," it said.
Commenting on the cyberattack attempts, Srinivas L, Joint Managing Director and Joint CEO of 63SATS Cybertech, described the incident as a "coordinated, two-pronged operation", suggesting that the denial-of-service attack may have served as a distraction while attackers probed the system for files.
While crediting CBSE for keeping the portal operational despite the attacks, he cautioned that India's examination infrastructure cannot depend solely on reactive security measures and must instead be designed to withstand cyber threats from the outset, particularly when handling sensitive student data.
According to the CBSE, the re-evaluation facility is available only to students who have already obtained scanned copies of their evaluated answer books.
The portal, which will remain open until midnight on June 6, enables students to seek verification of issues such as missing pages, missing supplementary sheets, blurred scans, missing maps or graphs, incorrect answer books and evaluation against a different question paper set.
Students may also apply for re-evaluation of one or more questions across subjects by submitting the relevant details online. The entire process, including fee payment, is being conducted digitally through the CBSE website using Aadhaar-based verification.
The portal was launched after a delay, with the board having earlier indicated that applications for verification and re-evaluation were expected to commence by May 29.
The development comes amid ongoing concerns raised by students and parents regarding the implementation of the OSM system. The board has faced criticism over technical glitches, payment failures and access-related issues during the verification and re-evaluation process.
Courtesy: The Telegraph India
© 2026 CATHOLIC CONNECT POWERED BY ATCONLINE LLP
