Back

Critical Vulnerabilities in CBSE's On-Screen Marking System Exposed

Severity: High (Score: 69.0)

Sources: Thehindubusinessline, News.Ycombinator

Published: 2026-05-26 · Updated: 2026-05-26

Keywords: cbse, ethical, hacker, vulnerabilities, education, write-up, government

Severity indicators: vulnerabilities, flaw, government, education

Summary

Nisarga Adhikary, a young ethical hacker, discovered severe vulnerabilities in the Central Board of Secondary Education's (CBSE) On-Screen Marking (OSM) system, which is used for evaluating Class 12 board exams. The flaws, found on February 25, 2026, included a hardcoded master password allowing full account takeover and manipulation of student grades. Adhikary reported these issues to CERT-In but received minimal response, prompting him to publish his findings in a blog post on May 22, 2026. The vulnerabilities could have allowed unauthorized access to sensitive academic data, affecting millions of students and undermining the integrity of the examination process. The developer, Coempt EduTeck Pvt Ltd, faced criticism for poor security practices. Despite a brief shutdown to address one vulnerability, other critical flaws remain unaddressed. The incident highlights the urgent need for improved cybersecurity measures in India's digital education infrastructure. Key Points: • A hardcoded master password in CBSE's OSM system allowed full account takeover. • The vulnerabilities were reported to CERT-In, but the response was inadequate. • The flaws could compromise the integrity of millions of student evaluations.

Detailed Analysis

**Impact** The vulnerability affects the Central Board of Secondary Education (CBSE) in India, impacting millions of Class 12 students whose exam answer sheets are evaluated via the On-Screen Marking (OSM) system. Over 28,000 affiliated schools nationwide and several hundred abroad rely on this platform, putting the integrity of exam evaluations and academic data at risk. Unauthorized access could allow attackers to alter student marks, compromising the fairness and reliability of board exam results. **Technical Details** The attack vector involves exploitation of a hardcoded master password embedded in the client-side Angular JavaScript bundle, allowing bypass of OTP-based two-factor authentication. The authentication logic performs OTP verification locally in the browser using server-sent OTP values, enabling attackers to fully bypass second-factor controls. No malware or CVEs are mentioned; the vulnerability stems from insecure frontend code and flawed authentication design. The kill chain stage corresponds to initial access and credential compromise. **Recommended Response** Urgent removal of hardcoded credentials from client-side code and implementation of server-side OTP verification are critical. Conduct a comprehensive security audit of the OSM platform, including penetration testing of remaining vulnerabilities. Monitor authentication logs for anomalous examiner account activity and restrict access using multi-factor authentication enforced server-side. No specific IOCs were provided in the reports.

Source articles (2)

  • Exposing Critical Vulnerabilities in CBSE's On — News.Ycombinator · 2026-05-26
    I first posted a rough write-up of these vulnerabilities to r/CBSE using a throwaway account, but I figured a proper write-up on my own blog would be a better for it. The (X post) where this is being…
  • Government should take cybersecurity more seriously, says ethical hacker on CBSE OSM flaws — Thehindubusinessline · 2026-05-26
    A young ethical hacker, Nisarga Adhikary, has exposed a glaring vulnerability in India’s digital education infrastructure, demonstrating that a crucial Central Board of Secondary Education (CBSE) port…

Timeline

  • 2026-02-25 — Vulnerabilities discovered in CBSE OSM system: Nisarga Adhikary found critical flaws, including a hardcoded master password, during his examination period.
  • 2026-02-25 — Flaws reported to CERT-In: Adhikary alerted CERT-In about the vulnerabilities, expecting prompt action to secure the system.
  • 2026-05-22 — Adhikary publishes blog post detailing vulnerabilities: After receiving no effective response, Adhikary went public with his findings, outlining the security flaws in the OSM system.
  • 2026-05-26 — Media coverage of the vulnerabilities: The incident gained attention, highlighting the need for better cybersecurity in India's education sector.

Related entities

  • Data Breach (Attack Type)
  • Coempt EduTeck Pvt Ltd (Company)
  • Education (Company)
  • India (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • level.it (Domain)
  • marks.at (Domain)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed