Student flagged flaws. Now CBSE says experts from govt and IITs are securing its systems

The Central Board of Secondary Education (CBSE) on Sunday said it has deployed cybersecurity experts from government agencies and the Indian Institutes of Technology (IITs) to strengthen its digital systems after a series of public allegations about vulnerabilities in platforms linked to its On-Screen Marking (OSM) ecosystem.

The statement marks the board’s detailed response to claims raised in recent days by 17-year-old student Sarthak Sidhant and 19-year-old ethical hacker Nisarga Adhikary, who have alleged security weaknesses across portals associated with CBSE’s examination infrastructure.

Don’t Miss: ‘Insanely insecure’: Ethical hacker alleges CBSE answer sheets, question papers were publicly accessible

“We have been closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain,” CBSE said. 

The board said an expert team of cybersecurity professionals drawn from “various arms of the government as well as the IITs” has been working over the past few days to strengthen the systems.

“An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well as the IITs to fortify these systems, including taking them over to a more secure setup,” the CBSE said. 

“The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out. 
We are grateful to all alert citizens and ethical hackers pointing out such weaknesses, and have gotten in touch with some of them directly,” the board said. “We request any others to reach out to our security teams at secy-cbse@nic.in for any further inputs.”

Don’t Miss: ‘Password was 123456’: Student alleges fresh security lapses in CBSE-linked systems

The response comes after Sarthak published a fresh blog alleging that “almost every single OnMark portal built by EduTek is fundamentally insecure” and claiming that weak passwords, outdated security practices and other vulnerabilities exposed student data to potential risks.

Among his claims was an allegation that an administrative portal could be accessed using the password “123456.” He also alleged that some systems relied on outdated MD5 password hashes and suffered from broader infrastructure weaknesses.

The latest allegations followed an earlier controversy surrounding CBSE’s On-Screen Marking system, where Sarthak questioned changes made to tender requirements before Hyderabad-based Coempt Eduteck secured the contract for the project.

Separately, ethical hacker Nisarga Adhikary recently claimed to have identified vulnerabilities in CBSE-linked platforms and alleged that examination-related files stored on cloud infrastructure were publicly accessible because of configuration issues.

Earlier this week, CBSE rejected claims that its actual answer-sheet evaluation platform had been compromised. The board said the URL referenced in social media posts was a testing portal containing sample data and was not the platform used for evaluating answer books.

“The Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post,” CBSE had said.

While reiterating that no breach had been detected on the evaluation platform, the board’s latest statement acknowledged vulnerabilities in the OnMark portal of its service provider and said steps were underway to secure the systems and eliminate any remaining weaknesses.