A student cybersecurity researcher who previously flagged alleged vulnerabilities in the Central Board of Secondary Education's (CBSE) online evaluation system has claimed that it was "child's play" for him to gain control access to the board's servers, allowing him to alter website content and upload files.
Nisarga Adhikary, who has been among those at the centre of the controversy surrounding the CBSE's On-Screen Marking (OSM) system, told The Telegraph Online that he was able to obtain what cybersecurity experts describe as "write access" to CBSE servers.
"Yes, I could write into their servers and upload my own pages there and deface their pages and so on," Adhikary said in an email response.
As evidence of the level of access he claims to have obtained, Adhikary pointed to an earlier social media post in which he said he and others were able to play the viral Bad Apple video on a CBSE production website. The post appeared to suggest that unauthorised content could be uploaded or embedded on a live CBSE system.
The researcher alleged that the vulnerabilities extended far beyond website access. According to him, weaknesses in CBSE's cloud storage configuration exposed sensitive examination records, including scanned answer sheets and question papers from the 2026 examination cycle.
In an earlier social media post, Adhikary claimed the storage system was improperly configured, allowing examination-related files to be accessed and downloaded without authorisation. He alleged that the same storage infrastructure was being used by multiple institutions.
Adhikary further claimed that he was able to access students' marks and personally identifiable information (PII) linked to evaluators involved in the marking process. According to him, the exposed information went beyond examination scores and included records containing personal details of evaluators. PII generally refers to information such as names, email addresses, phone numbers and other identifying details.
Referring to the potential impact of the alleged vulnerabilities, Adhikary claimed they could have enabled unauthorised access to personal information, manipulation of marks and even deletion of data from affected systems. He claimed that the systems lacked even basic security safeguards and said the flaws were relatively easy to discover and exploit.
He also referred to findings published on his blog, where he alleged that a password capable of bypassing the portal's normal security checks had been embedded in the website's code. According to Adhikary, the credential functioned as a "master password" that could provide direct access to the evaluation dashboard without going through the standard OTP authentication process.
Referring to CBSE’s earlier claim that the systems the ethical hacker accessed were test environments containing dummy data rather than the live evaluation platform, Nisarga said, “Yes, they themselves have agreed later that they were indeed compromised.”
The board, acknowledging the existence of vulnerabilities, later said the issues had been contained and addressed. The 19-year-old also reiterated that both CBSE and Coempt, the company at the center of the controversy, are “very unresponsive — even till today.”
The CBSE on Tuesday launched its online portal for verification of issues observed in scanned copies of answer books and re-evaluation of answers for students dissatisfied with their board exam evaluation.
The board, however, said "malicious actors" attempted to disrupt services on the portal through a barrage of cyberattacks, including a denial-of-service (DoS) attack that generated 1.5 million hits within two minutes and more than one lakh attempts at unauthorised file access.
"While thousands of students accessed the CBSE re-evaluation portal today, malicious actors attempted to disrupt services through a barrage of cyberattacks," the board said in a post on X.
"The most recent being a denial of service (DoS) attack attempt causing 1.5 million hits on the portal within a matter of 2 minutes and more than 1 lakh attempts of unauthorised file access," it added.
The board said the portal was supporting over 8,000 concurrent users and that more than 16,000 students had completed their submissions as of 3 pm.
Based on student feedback, the CBSE said it had refined the platform further, including extending session time limits to make the process more convenient. "Our teams remain vigilant and responsive to ensure our dearest students are facilitated in all ways possible," it said.
Commenting on the cyberattack attempts, Srinivas L, Joint Managing Director and Joint CEO of 63SATS Cybertech, described the incident as a "coordinated, two-pronged operation", suggesting the denial-of-service attack may have served as a distraction while attackers probed the system for files.
While crediting CBSE for keeping the portal operational despite the attacks, he cautioned that India's examination infrastructure cannot rely on reactive security measures alone and must be designed to withstand cyber threats from the outset, particularly when handling sensitive student data.
According to the CBSE, the re-evaluation facility is available only to students who have already obtained scanned copies of their evaluated answer books.
The portal, which will remain open until midnight on June 6, allows students to seek verification of issues such as missing pages, missing supplementary sheets, blurred scans, missing maps or graphs, incorrect answer books and evaluation against a different question paper set.
Students can also apply for re-evaluation of one or more questions across subjects by submitting the relevant details online. The entire process, including payment of fees, is being conducted digitally through the CBSE website using Aadhaar-based verification.
The portal was launched after a delay, with the board having earlier indicated that applications for verification and re-evaluation were expected to begin by May 29.
The development comes amid continuing concerns raised by students and parents over the implementation of the OSM system. The board has faced criticism over technical glitches, payment failures and access-related issues during the verification and re-evaluation process.
