A Bengaluru-based cybersecurity researcher has breached two domains of the Central Board of Secondary Education's On-Screen Marking portal, demonstrating access that CBSE officials had publicly denied was possible. Nisarga Adhikary, who recently completed Class 12, said he and his collaborators obtained full CRUD and shell access to CBSE's production servers, then uploaded content to the live database to prove the point.
CRUD stands for Create, Read, Update, and Delete. These are the four basic operations used to manage data in a database. Shell access, specifically SSH (Secure Shell), allows a user to control a remote computer over a network as if sitting in front of it. Together, CRUD and shell access on a production server effectively mean an outsider could read, alter, or delete any data stored there, and run commands directly on the system.
Adhikary first flagged the vulnerabilities to CERT-In, India's national cybersecurity agency, more than three months ago. When the agency did not act, he published a detailed blog on May 22 listing the specific security flaws in the OSM system, which CBSE uses for the digital evaluation of answer sheets. The public disclosure prompted a denial from CBSE's Regional Head Rajesh Kumar Gupta, who told news agency IANS: "Regarding your question about the website being hacked, I completely deny it. I am rejecting this allegation outright. Because exams are being conducted offline so there are no questions of website being hacked."
That denial appears to have directly triggered the demonstration. Adhikary responded by uploading several pieces of content to CBSE's backend database, including a message displaying the word "PWNED," a GIF of an internet meme character, and YouTube video embeds. He also posted a screen recording of the animated "Bad Apple" video playing on CBSE's production site. Archived versions of the affected pages were shared publicly to document the access.
Why the official response made things worse
The sequence here matters. A researcher found serious flaws, reported them through the official channel, waited over three months, published them when ignored, and then proved access after a public denial. Each step represents a failure of the standard responsible disclosure process that CERT-In is meant to support. The official dismissal, citing offline exams as a reason hacking was impossible, conflates exam delivery with server security. An offline exam does not protect a web-facing server from remote intrusion.
Adhikary also claimed super admin access to a separate subdomain, cbseosm.onmark.co.in, describing it as a system involved in exam evaluation at various universities. A CBSE notification dated February 21, 2026, informing school principals about mock evaluations, contained the same URL he originally exposed, suggesting the subdomain was part of active official infrastructure at the time of the breach.
What this means for exam data and institutional security
The OSM system handles the digital marking of physical answer sheets for one of India's largest school examination boards. CRUD access to such a system in principle allows an attacker to read student responses, alter marks, or delete records. Shell access goes further, potentially allowing malware installation or broader lateral movement within connected systems. Whether any student data was accessed or modified has not been confirmed by CBSE or CERT-In.
The episode also raises questions about CERT-In's triage process. India's cybersecurity agency has a formal vulnerability reporting mechanism, but a three-month lag with no visible action on a production government system suggests either a process failure or a prioritisation gap. CERT-In recently published a blueprint for defending against AI-assisted cyber threats, making the lack of response to a straightforward vulnerability report more conspicuous.
CBSE has not issued a revised statement as of the time of this report. CERT-In has not publicly acknowledged the researcher's disclosure or the subsequent breach demonstration. The vulnerability in the OSM portal remains unpatched based on available public information. The next visible step is whether either body responds publicly now that production servers have been accessed and archived proof is available online.