Indian exam board admits to cybersecurity holes found by teen

A national school exam board in India said it has been monitoring and has contained vulnerabilities in its online grading portal for one of the country’s most important school-leaving exams after a teenage cybersecurity researcher first flagged them.

The Central Board of Secondary Education (CBSE), which is government-run and one of India’s main school exam boards, said in a post on social media platform X that it has been “closely monitoring” weaknesses in the OnMark portal – an online grading website for teachers – after they were publicly flagged.

The portal, introduced in 2026, uploads scanned copies of students’ physical answer books for teachers to grade digitally. 

The controversy stems from complaints by students that their physical answer sheets did not match the digital versions shared by the education board upon request for re-evaluation.

The incident has sparked outrage on social media, forcing the CBSE and Indian Education Minister Dharmendra Pradhan to address the concerns.

In India, millions of students sit the exam each year as a gateway to further higher studies. In 2026, around 1.8 million took the exam across the country, according to the CBSE. It announced the results of the exams on May 13.    

“The identified vulnerabilities have been contained and other exploitable weaknesses are being ruled out,” it said in the post.

Cybersecurity experts from government agencies and top engineering colleges have been deployed to strengthen the systems, including moving them to “a more secure set-up”, it added.

It is the latest episode to beset India’s education industry, which in May was rocked by the annulment of a national exam for medical students following a probe.

It has also raised questions about the security of digital exam-marking infrastructure and heightened pressure on the government to address the issues. 

In a blog post on May 22, teenage cybersecurity researcher Nisarga Adhikary flagged that the CBSE online grading portal could have permitted a full takeover of an examiner’s account and potentially allowed tampering with marks or disruption of the grading process.

Adhikary said he disclosed five critical vulnerabilities in the on-screen marking portal to the Computer Emergency Response Team on Feb 25. It acknowledged the disclosure with an e-mail but did not follow up, he added.

CBSE said its grading portal was neither compromised nor did it have the vulnerabilities flagged. It emphasised that no security breaches had come to light. 

The country’s largest opposition party leader Rahul Gandhi called on May 29 for a court-led inquiry into the award of the contract to the external agency responsible for operating and maintaining the grading portal. BLOOMBERG