Indian exam board admits to cybersecurity holes found by teen

A national school exam board in India said it has been monitoring and has contained vulnerabilities in its online grading portal for one of the country’s most important school-leaving exams after a teenage cybersecurity researcher first flagged them.

The Central Board of Secondary Education (CBSE), which is government-run and one of India’s main school exam boards, said in a post on social media platform X that it has been “closely monitoring” weaknesses in the OnMark portal – an online grading website for teachers – after they were publicly flagged.

The portal, first introduced in 2026, uploads scanned copies of students’ physical answer books for teachers to grade digitally. 

The controversy stems from complaints by students that their physical answer sheets did not match the digital versions shared by the education board upon request for re-evaluation.

The incident has sparked outrage on social media, forcing the CBSE and Indian Education Minister Dharmendra Pradhan to address the concerns.

In India, millions of students sit the crucial exam each year as a gateway to further higher studies. In 2026, around 1.8 million took the exam across the country, according to a statement by the CBSE. The board announced the results of the exams on May 13.    

“The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out,” the board said in the post.

Cybersecurity experts from government agencies and top engineering colleges have been deployed over the past several days to strengthen the systems, including moving them to “a more secure set-up”, it added.

It is the latest episode to beset India’s education industry, which earlier in May was rocked by the annulment of a national exam for medical students following a probe.

It has also raised questions about the security of digital exam-marking infrastructure in one of the world’s largest school systems and heightened pressure on Prime Minister Narendra Modi’s administration to address the issues. 

In a blog post on May 22, teenage cybersecurity researcher Nisarga Adhikary flagged that the online grading portal used by CBSE could have permitted a full takeover of an examiner’s account and potentially allowed tampering with marks or disruption of the grading process.

Adhikary said he disclosed five critical vulnerabilities in the on-screen marking portal to the country’s Computer Emergency Response Team on Feb 25. The emergency response agency acknowledged the disclosure with a standard e-mail but did not follow up, he added.

CBSE said last week that its grading portal was neither compromised nor did it have the vulnerabilities flagged in a social media post. It emphasised that no security breaches had come to light. 

The issue has drawn scrutiny on Pradhan, with the country’s largest opposition party leader Rahul Gandhi on May 29 calling for a court-led inquiry into the award of the contract to the external agency responsible for operating and maintaining the grading portal. BLOOMBERG