CBSE OSM System Issues: Ethical hacker Nisarga Adhikary's social media post is going viral after he claimed to have discovered critical vulnerabilities in CBSE's On-Screen Marking (OSM) portal used for Class 12 board exam evaluation.
A 19-year-old ethical hacker has alleged that critical security flaws in the Central Board of Secondary Education's digital evaluation system could have allowed attackers to access examiner accounts, bypass authentication systems, and even alter students' marks.
Speaking to NDTV, Nisarga Adhikary claimed that he had informed both CBSE and CERT-In about the vulnerabilities nearly three months ago, but no major corrective action was taken initially.
"Regarding the CBSE On-Screen Marking system, I informed them three months ago about the portal vulnerabilities and no action was taken. After repeated contact, CBSE briefly took the portal down for three to four days and made some changes, but issues related to passwords and OTP systems were still exploitable," Adhikary told NDTV.
He further claimed that "even a hacker could change numbers in the answer copies as an examiner" if the vulnerabilities were exploited.
According to Adhikary, after his detailed social media post and blog went viral on Monday, the portal's accessibility was significantly restricted and parts of the system were temporarily taken offline.
Earlier, CBSE had issued a circular stating that the portal was facing "unprecedented traffic" and also "attempts of unauthorised interference."
How the vulnerabilities were discovered
Adhikary, who recently completed his Class 12 examinations and works as a hobbyist cybersecurity researcher, said he started examining the portal after noticing that the OSM login link was publicly accessible.
According to his blog post, the vulnerabilities were first discovered on February 25, 2026, and were subsequently reported to CERT-In.
He alleged that after examining the portal's frontend JavaScript files and HTTP requests, he identified multiple critical flaws in the authentication and authorization systems.
Key vulnerabilities highlighted by the researcher
According to Adhikary's claims, the vulnerabilities included:
- A "hardcoded master password" allegedly embedded directly inside the portal's JavaScript bundle, which could reportedly bypass the OTP verification system.
- OTP validation allegedly taking place entirely on the client side instead of secure server-side verification.
- Lack of route protection, allowing direct access to internal dashboard pages without proper authentication.
- A password reset mechanism that allegedly did not verify the old password before changing credentials.
- A systemic "IDOR" (Insecure Direct Object Reference) vulnerability, where changing user IDs in browser storage could allegedly allow access to other examiner accounts.
Adhikary claimed that by combining these flaws, an attacker could potentially take over examiner accounts, view assigned answer scripts, modify marks, and interfere with the evaluation process.
"None of this required sophisticated exploitation. The hardest part was reading a JavaScript file and editing a couple of values in DevTools," he wrote in his post.
CERT-In response and disclosure
Adhikary stated that he first informed the Indian Computer Emergency Response Team (CERT-In) through email and later shared screen recordings and additional technical details after being asked for more evidence.
According to him, CERT-In acknowledged the complaint with a standard response saying the matter had been registered and appropriate action was being taken with the concerned authority.
However, he claimed that after the acknowledgement, no substantial communication followed and several vulnerabilities allegedly remained unpatched for an extended period.
What is CBSE's On-Screen Marking system?
The Central Board of Secondary Education, one of India's largest education boards, has been gradually shifting to a digital evaluation process through its On-Screen Marking (OSM) system for Class 12 board examinations.
Under the system, physical answer sheets are scanned and uploaded online. Examiners from across the country log into a digital portal and evaluate copies remotely instead of handling physical answer sheets.
The system is aimed at speeding up evaluation, reducing logistics challenges, and making the checking process more streamlined. With CBSE conducting examinations for millions of students annually and being affiliated with over 28,000 schools in India and abroad, the digital evaluation system handles highly sensitive academic data and plays a crucial role in maintaining the integrity of board results.
Adhikary alleged that the same evaluation platform, reportedly developed by Coempt EduTeck Pvt Ltd under the "OnMark" system, is also used by multiple educational boards and institutions.
CBSE has not yet issued any detailed public statement specifically responding to the technical allegations made in the viral post.