Nineteen-year-old Nisarga Adhikary wasn’t looking for a headline when he began probing CBSE’s On-Screen Marking (OSM) portal, the system the Board rolled out this year to evaluate scanned Class 10 and 12 answer sheets on screen instead of on paper.

“I have always enjoyed looking in this area,” the West Bengal teenager told Decode. Self-taught through YouTube and inclined towards the field since Class 6 or 7, Adhikary has long made a habit of checking how secure public-facing platforms really are.

So, he tested the CBSE’s publicly accessible portal — and found glaring vulnerabilities.

The flaws, he says, could have let an outsider into examiner accounts and allowed tampering with the scores of nearly 18 lakh students whose answer sheets passed through the system.

He was appearing for his own Class 12 board exams at this time.

The Basic Lapses

What Adhikary described he found in the system points to basic security gaps.

The OTP meant to secure logins, he found, could be bypassed using a "master password" sitting in plain view inside the website's own code, rendering the extra layer useless.

The portal also carried an IDOR flaw — Insecure Direct Object Reference — where simply changing an ID number in a request could surface another user's data, no authentication required.

He flagged poorly protected internal dashboards and a weak password-reset process too.

“Anyone with limited technical knowledge could have explored this,” he told Decode.

Reported In February, Conceded In May

Adhikary first reported at least six vulnerabilities to CERT-In, the government's nodal cybersecurity agency, on February 25, through a series of emails. "They acknowledged the emails but no fixes were implemented for months," he said. "I waited until the results were declared before making my findings public."

On May 22, he published a detailed blog laying out the flaws. The X post linking to it went viral within hours, landing in a moment when public faith in India's exam infrastructure was already shaky after the NEET paper-leak row.

CBSE's first instinct was to deny. Four days after the post spread, the Board addressed it on X without conceding any lapse, calling the concern a misunderstood link — a testing site with dummy data, it said, with "no compromise or vulnerability" in the actual evaluation system.

Adhikary pushed back the same day, posting screenshots and screen recordings and asking how real student information could have surfaced on a portal that supposedly held only test data. "The Board was just embarrassing itself," he said in hindsight.

Then, on May 31, the position shifted. CBSE acknowledged "identifiable vulnerabilities," said they had been "contained," and credited "alert citizens and ethical hackers," adding that it had reached out to some of them.

By Adhikary's count, the admission came more than three months after he first reported the flaws, nine days after he went public, and five days after the Board had dismissed his findings outright.

"I'm happy and satisfied that they finally acknowledged it," he said. "But they are still being a little dishonest."

The Board, he noted, has not contacted him.

What Students Were Living Through

While Adhikary's findings pointed to structural gaps, students were watching the system falter as their results came out.

This year, the Class 12 pass percentage slid to 85.20%, down more than three points from last year.

For those unhappy with their scores, the re-evaluation portal was the next step. And, it buckled almost immediately. The window opened on May 19 and crashed under traffic; CBSE pulled the link, reopened it on May 20, then slipped into maintenance again on May 21. Deadlines were pushed twice, but the issue stayed on.

Students kept tagging CBSE on X: applications freezing midway, payments failing without confirmation, answer sheets too blurred to read, and in some cases, answer sheets that were not theirs.

Vedant Shrivastava, a class 12 student in Delhi, flagged unexpectedly low marks in Physics and shared screenshots showing that the handwriting on the sheet filled under his name wasn’t his.

Instead of a scrutiny of the system, the teenager drew abuse — branded “anti-national” and even labelled “Pakistani”, a narrative amplified by Doordarshan News anchor Ashok Shrivastav.

Vedant was targeted with trolling on X. (Real comments, compiled using AI)

CBSE later said it had reviewed the matter, emailed Shrivastava the correct answer sheet, and was updating his result.

As complaints from students mounted, the Board's public line softened in stages.

On May 23 it attributed payment delays, blurred pages and unmarked responses to "technical capacity challenges and student apprehensions". A day later it admitted glitches had caused wrong fee deductions and promised refunds. The system once sold as "transparent and efficient," and as a "secure and robust IT platform," kept glitching.

The May 31 concession of vulnerabilities was the most direct admission yet — and it matched what Adhikary had been saying since February.

A Generation Auditing The System

CBSE sits at the centre of one of the world's largest school examination networks — over 28,000 schools in India and more than 240 abroad. Adhikary isn't the only teenager turning that scale into a question.

Sarthak Sidhant, a 17-year-old from Jharkhand, published an analysis of CBSE's tender documents arguing that eligibility criteria shifted across successive bidding rounds in ways that allegedly favoured the eventual vendor, Coempt EduTeck. Both the firm and CBSE have denied any wrongdoing.

Where students once compared answer keys, a loose group of them began cross-referencing procurement clauses.

The pressure registered. Union Education Minister Dharmendra Pradhan acknowledged discrepancies in the OSM process and promised strict action against those responsible, with the ministry ordering an audit "from tendering to execution" and cybersecurity specialists from IIT Madras and IIT Kanpur brought in to assess the platform.

The 19-year-old ethical hacker, Nisarga Adhikary, too, took his share of abuse and allegations after going public. He stayed unbothered. "The troll ecosystem works like that," he said.

"It didn't bother me as long as the fixes were made without further delay."

His parents worried about legal fallout; it didn't deter him.

He has since been in touch with the Internet Freedom Foundation, a digital rights group that offered support, and continues to flag security issues in other live CBSE portals that he alleges are leaking personal information — reporting them to both CBSE and CERT-In.

For him, the story now is about what comes next. "Proper security measures and audits" are essential, he said, to prevent a repeat.

As for his own path, the 19-year-old has plans to build a startup. "I might not sign up for a degree."

About the author
Hera Rizwan
Hera Rizwan

Hera Rizwan is a correspondent with Decode. She covers AI, technology, and accountability, with a focus on how digital systems shape welfare, governance, and public life in India. Her work examines the real-world impact of emerging technologies, from biometric systems and surveillance tools to platform-driven scams and digital policy. She has reported extensively on cybercrime, AI in welfare delivery, and the intersection of tech and democracy. She is a Pulitzer Grantee and won Ramnath Goenka Award for Investigative Reporting in 2022.