Ethical hacker, CBSE lock horns over board exam portal vulnerability

CBSE stated “no safety breaches have come to mild on the portal deployed for the precise analysis work”
| Picture Credit score:
MURALI KUMAR Ok

Ethical hacker Nisarga Adhikary on Tuesday disputed the Central Board of Secondary Training (CBSE)’s clarification that no manufacturing information had been compromised in its On-Display screen Marking (OSM) system, asserting that he had accessed non-test person information and had visible proof, together with display screen recordings, to again his allegations. Adhikary had earlier given visible proof of getting uncovered the vulnerabilities within the CBSE’s OSM system for Class 12 board examination.

The CBSE maintained that the portal referenced in Adhikary’s social media posts was not the one used for precise analysis work. In a press release posted on X, the Board stated the URL which Adhikary stated he had hacked into, http://cbse.onmarks.co.in, was “a testing web site solely with pattern information for inside testing and evaluate functions”, and didn’t include “precise analysis information, marks or different information”.

“On the outset, it’s clarified that the portal used for analysis of answer-books bore a unique URL, which has neither been compromised nor does it have the vulnerabilities indicated within the stated social media submit,” stated the Board.

CBSE added that “no safety breaches have come to mild on the portal deployed for the precise analysis work”, and stated the OSM system had been launched to enhance transparency in assessments whereas incorporating robust safeguards and grievance redressal mechanisms.

Questioning CBSE’s clarification that the accessed portal was merely a testing web site with pattern information, Adhikary stated: “Then how was I in a position to entry manufacturing information on that web site? The entire mirrors you had below the onmark area had the identical vulnerabilities.”

He additionally shared screenshots on X countering the Board’s claims, and alleged that the vulnerabilities prolonged past the removing of a so-called grasp password. He additional asserted that the area cited by CBSE in its clarification was “not even an actual area”.

In an interview with businessline, Adhikary stated he had documented your entire course of and reported the problem to the Indian Pc Emergency Response Crew (CERT-In). “I recorded your entire course of and flagged it to CERT-In. Their response was an automatic ‘Thanks for reporting’. Just a few days later, I reported 5 extra vulnerabilities. In response, they took the portal down for 2 or three days, eliminated the Grasp Password, and known as it a day. However the remaining flaws had been simply as extreme, they usually left them fully untouched,” he alleged.

In the meantime, extremely positioned sources within the Ministry of Electronics and Data Expertise (MeitY) instructed businessline that the federal government was supporting CBSE in addressing the matter. “CBSE is engaged on this and we’re giving no matter help they want. CBSE is working with all its distributors on this. CERT-In has additionally performed its function, however it’s the CBSE which has to resolve the problem now. We in MeitY are taking all of the steps required for cybersecurity,” stated a supply.

digital programs

The controversy comes amid heightened concern over cybersecurity preparedness in important digital programs. CERT-In has lately directed organisations to resolve vulnerabilities in important programs inside 12 hours of detection “the place possible”, citing the rising menace of AI-assisted cyberattacks.

“On this evolving menace surroundings, organisations ought to undertake adaptive, intelligence-driven, constantly validated and resilience-oriented cybersecurity practices, somewhat than relying solely on static controls or periodic compliance-driven assessments,” stated CERT-In in its current advisory.

It added that “steady monitoring, fast remediation, adaptive defence and coordinated cybersecurity preparedness are important for strengthening resilience towards evolving AI-assisted cyber threats and enhancing belief in India’s digital ecosystem.”

Printed on Could 26, 2026