Questions are being raised over oversight of India’s examination technology infrastructure after a 19-year-old cybersecurity researcher claimed to have identified vulnerabilities inside the Central Board of Secondary Education’s (CBSE) digital evaluation system that, according to his public disclosure, could theoretically allow unauthorised access to examiner workflows and expose the ability to view or modify marks.
The researcher says concerns relating to the same environment were reported twice to the Indian Computer Emergency Response Team (CERT-In) over a three-month period.
The allegations relate to CBSE’s On-Screen Marking (OSM) ecosystem, the digital platform used in answer-book assessment.
The platform operates through the Onmark evaluation environment hosted at cbse.onmark.co.in, which is not a public student portal but an internal evaluation system intended for authorised users such as examiners, head examiners and evaluation administrators.
CBSE introduced the On-Screen Marking (OSM) system as part of its move to digital evaluation of board examinations. Under the process, physical answer books are scanned and uploaded to a central platform where evaluators assess scripts digitally instead of relying entirely on manual paper handling. The system manages examiner access, answer-book allocation, question-wise marking, moderation and evaluation workflows, with the stated objective of improving efficiency, reducing delays and creating a stronger audit trail in the assessment process.
The claims have not been validated by CBSE or CERT-In, and no evidence reviewed for this report establishes that marks were changed, answer books manipulated or examination outcomes affected.
The researcher publishes under the online identity “ni5arga”.
In conversations with this newspaper, he described himself as a software engineer and cybersecurity researcher based in West Bengal. He said he had recently finished school and had been involved in application-security research and ethical hacking as a personal pursuit.
He said his interest in the platform began after CBSE moved to digital evaluation.
“I got curious considering they shifted to digital/OSM checking this year, so decided to inspect their portal,” he said.
He said he examined the environment on 24–25 February and sent his first report to CERT-In on 25 February.
Screenshots reviewed for this report show a CERT-In acknowledgement email dated 26 February carrying reference number CERTIn-16590126 and stating that the incident had been registered and action was being initiated with the concerned authority.
He said CERT-In later sought additional proof and proof-of-concept material, which he provided.
The acknowledgement does not indicate that the findings were reproduced, accepted or confirmed.
The technical disclosure alleges weaknesses not in a public-facing informational website but in authentication and access controls linked to the evaluation workflow.
One of the central claims is that part of the authentication process relied on a credential embedded in frontend JavaScript.
The researcher alleged that entering that value automatically populated the OTP field and bypassed the normal authentication sequence.
He further claimed OTP verification was handled on the client side rather than being fully enforced by backend systems and that the OTP value was returned to the browser during authentication and validated locally.
The disclosure also alleges weaknesses in authorization controls, password-management mechanisms and identity handling.
Taken together, the researcher claimed those conditions allowed authentication as an examiner and access to an evaluation dashboard.
In his public write-up, he further claimed that the interface exposed the ability to view and modify marks.
He additionally claimed that reaching that stage did not require sophisticated exploitation techniques but combinations of identifiers and authentication logic exposed inside the application.
The researcher argues that the importance of those findings is not whether a website contained vulnerabilities but whether controls around digital evaluation workflows were sufficiently protected.
Communication slowed after the initial report, he said, and follow-up efforts did not result in a detailed response.
Months later, he said he identified another set of vulnerabilities affecting the same CBSE OSM environment.
He said a second report was submitted to CERT-In on 25 May.
Screenshots reviewed for this report show another CERT-In acknowledgement carrying reference number CERTIn-98963326.
The researcher described the second submission as involving additional vulnerabilities in the same environment, including what he characterised as possible personal-data exposure.
He said changes to the portal followed soon after the second disclosure.
According to the researcher, the original portal later became inaccessible and additional mirror or alternate subdomains appeared before also becoming unavailable.
Screenshots shared by him showed lists of related subdomains associated with the broader Onmark environment.
This report could not establish whether those operational changes were connected to the disclosures or whether the environments hosted identical infrastructure.
The researcher identified Coempt EduTech Pvt Ltd as the apparent vendor associated with the evaluation platform, although its contractual role in the CBSE deployment could not be independently verified.
The company has previously appeared in media reports relating to examination technology projects. A recent report on the CHSE Odisha Plus II e-evaluation process said Coempt EduTech, formerly known as Globarena Technology Pvt Ltd, faced questions over the award and execution of digital evaluation work, including allegations relating to subcontracting arrangements. Those reports relate to a separate matter and do not establish wrongdoing in the CBSE case.
Questions have been sent to CBSE regarding the reported vulnerabilities, the disclosure timeline, any remediation undertaken and whether any review of the affected systems was conducted.
Responses were awaited at the time of publication.