The Central Board of Secondary Education (CBSE) has intensified its response to concerns about an OSM vulnerability by engaging cybersecurity specialists from IIT Madras, IIT Kanpur, and several government agencies to conduct a detailed security assessment of its On-Screen Marking (OSM) platform.
The portal, introduced in 2026 for the evaluation of the Class 12 board exam, has come under scrutiny following allegations from security researchers and ethical hackers about multiple weaknesses in the system.
In an official statement shared on X on May 31, 2026, CBSE acknowledged the issue and confirmed that remedial measures were already underway. The board stated, “The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out.”
The announcement is a notable development in the controversy surrounding the OSM platform. While CBSE had previously maintained that the system was secure, the latest statement confirms that vulnerabilities did exist and required immediate attention from cybersecurity experts.
Decoding the OSM Vulnerability
The controversy emerged after security researchers and ethical hackers highlighted several alleged flaws in the OSM platform used for the Class 12 board exam evaluation process. According to the concerns raised, the vulnerabilities could have exposed sensitive examination-related data and administrative controls.
Among the issues reported were:
- A hardcoded master password allegedly embedded within publicly accessible source code, potentially enabling unauthorized access.
- One-time passwords (OTPs) are reportedly visible through web browsers without requiring authentication.
- The ability to reset evaluator passwords without proper authorization.
- Potential access to or modification of student marks stored within the system.
- An Amazon Web Services (AWS) cloud storage bucket allegedly contains scanned 2026 examination records that could be accessed publicly without login credentials.
Ethical hacker Nisarga Adhikary further alleged that scanned answer sheets and question papers stored within the AWS repository could be viewed and downloaded without authentication. These allegations intensified concerns regarding the scale and potential impact of the reported OSM vulnerability.
CBSE Deploys Expert Teams for Security Audit
As part of its response, CBSE has assembled a specialized team comprising experts from IIT Madras, IIT Kanpur, and the Digital Infrastructure Corporation of India. The objective is to perform a comprehensive audit of the platform and identify any remaining vulnerabilities.
According to the board, the security teams have been working on the matter for several days. CBSE stated that all known vulnerabilities have been contained and that the platform is currently being migrated to a more secure environment as part of a broader strengthening exercise.
The board has also initiated direct communication with some of the security researchers who reported the issues.
CBSE’s Security Measures at a Glance
As part of its response to the reported OSM vulnerability, CBSE has deployed a specialized team comprising experts from IIT Madras, IIT Kanpur, and the Digital Infrastructure Corporation of India. The board said these cybersecurity teams have been working on the matter for several days to assess the system and strengthen its security framework.
According to CBSE, the known vulnerabilities identified in the OSM portal have been contained. The board also stated that the platform is currently being migrated to a more secure environment as part of its broader effort to enhance protection against potential cyber threats.
CBSE has engaged directly with some of the security researchers and ethical hackers who brought the issues to light. The board has also invited additional inputs from researchers and cybersecurity professionals, requesting that any relevant information or findings be shared with its security team via email at [email protected].
Board Invites Further Input from Researchers
CBSE publicly acknowledged the role played by ethical hackers and security researchers in identifying weaknesses within the platform.
In its statement, the board said:
“We are grateful to all alert citizens and ethical hackers pointing out such weaknesses and have gotten in touch with some of them directly.”
The board further added:
“We request any others to reach out to our security teams at [email protected] for any further inputs.”
CBSE reiterated that the identified OSM vulnerability issues have been contained while a wider security review remains ongoing.
Post-Result Services Begin Despite Security Concerns
Despite the ongoing scrutiny surrounding the OSM platform, CBSE proceeded with the launch of its Class 12 post-result services on June 1, 2026, as previously scheduled.
Students who appeared for the Class 12 board exam can now access post-result services through the official portal and apply for:
- Scanned copies of answer books
- Verification of marks
- Re-evaluation requests
CBSE stated that the portal underwent security hardening measures before becoming operational on June 1. The controversy has also expanded beyond cybersecurity concerns. Student Sarthak Sidhant had earlier raised questions regarding the procurement and tendering process associated with the OSM system, adding another layer to the ongoing debate.
