“We have been closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain.
Speaking with The Hindu, Mr. Adhikary said he felt “happy and satisfied” that the CBSE had finally acknowledged the vulnerabilities in its Information Technology (IT) ecosystem.
I noticed that the CBSE had poorly managed infrastructure and the passwords used were easy to guess,” Mr. Adhikary said.
Mr. Adhikary has alleged that there are data sovereignty issues with how COEMPT Eduteck [the CBSE’s technology vendor] handled sensitive student exam data.
Mr. Adhikary called this “scary” and “sad”, where a third party sends such data to the U.S. for processing.
After public posts by ethical hackers exposed vulnerabilities in the Central Board of Secondary Education’s On-Screen Marking platform OnMark, the board on Sunday (May 31, 2026) stated that the identified vulnerabilities “have been contained and other exploitable weaknesses are being ruled out”.
The CBSE also said it was “grateful” to alert citizens for pointing out “such weaknesses”.
“We have been closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain. An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well as the IITs [Indian Institutes of Technology] to fortify these systems, including taking them over to a more secure set-up,” the CBSE said in an official statement on X. “The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out.”
The CBSE’s statement comes after 19-year-old ethical hacker Nisarga Adhikary claimed that he had hacked the CBSE’s digital evaluation ecosystem.
Speaking with The Hindu, Mr. Adhikary said he felt “happy and satisfied” that the CBSE had finally acknowledged the vulnerabilities in its Information Technology (IT) ecosystem. “I had sent my first report to the CBSE on February 25, and within three to four days, they took the portal down. Six to seven vulnerabilities were still active and exploitable later but the CBSE did not respond to my e-mails. This was pretty frustrating. I noticed that the CBSE had poorly managed infrastructure and the passwords used were easy to guess,” Mr. Adhikary said.
Earlier, the CBSE had rejected claims that its evaluation platform had been compromised. Mr. Adhikary had countered this claim.
On May 30, Mr. Adhikary managed to hack into the CBSE’s Principals dashboard in the On-Screen Marking platform. “The dashboard and the portal had had 9.3 million columns and rows of sensitive student data, including images of answer sheets of students which lay unprotected and could be easily tampered with,” Mr. Adhikary further said.
Mr. Adhikary has alleged that there are data sovereignty issues with how COEMPT Eduteck [the CBSE’s technology vendor] handled sensitive student exam data. He has alleged that an Amazon Web Services (AWS) bucket containing 2026 answer sheets and question papers could be accessed without authentication.
“COEMPT should have ideally stored the data on their own servers, but they took the ‘cheap easy route,’ of storing answer sheets in Amazon Web Services public buckets without any security checks,” Mr. Adhikary stated.
He further explained that sensitive data, including personal information of students, was processed by Google’s Gemini in automation scripts prepared by quality assurance engineers of COEMPT.
Mr. Adhikary called this “scary” and “sad”, where a third party sends such data to the U.S. for processing. “Data Privacy Laws are not respected and they [the company] should get sued for doing this without student consent,” he further said.
