CBSE’s New On Screen Marking System Flags Vulnerability.

New Delhi; May 2026: The Central Board Of Secondary Education (CBSE) this year on 09th February has introduced an upgraded examination system: the On-Screen Marking (OSM) protocol. The promise was alluring—standardised marking, quicker results, transparency, elimination of manual errors and the convenience of remote evaluation. The announcement was formalised just a week before the class 12 board examinations which began on 17th February. It was eventually deployed on 03rd March, when evaluation began.

Most importantly – ‘Pariksha pe Charcha’ — Prime Minister Narendra Modi’s annual interaction with examinees, teachers and parents, was aired nationally on 09th February. Surely no coincidence. The honourable Prime Minister has not barged upon the seriousness of the allegations, despite several complaints from students and teachers, and demands to scrap the results that were declared on 13th May 2026.

Rushed implementation, without vetting the admissibility of the newly introduced methodology, meant insufficient system testing leading to portal crashes, login failures, slow-loading user interfaces and poor scan quality. Some answer sheets went missing or were blurred; supplementary sheets were lost or wrongly linked.

An estimated 25,000-30,000 teachers participated in the marking, but many reported that training was limited to a few hurried webinars and mock evaluations. Some evaluators said they got less than a week’s worth of dry runs, others that the process continued till the day before results were announced. Evaluators had to juggle marking with their regular teaching and administrative responsibilities, including Booth Level Officer duties in poll-bound states! Multitasking under surveillance was stressful and compromised the quality of assessment, with many evaluators reporting screen fatigue.

As Professor Anita Rampal, educationist and former dean, faculty of education, Delhi University, said in a panel discussion, “We cannot replace human agency and cognitive processes, with something completely mindless. You don’t scroll an answer sheet and then mark it in a linear manner. Also, people are conscious they are being monitored. The camera is there. If someone took longer, they said they got a phone call. Why is this evaluator taking so long on this question? We are not robots and we shouldn’t be turning humans into robots”.

The CBSE’s claim that OSM would sharply reduce demands for verification and re-evaluation has virtually turned out to be a farce. A record 04 lakh examinees, which is 400% higher than last year, has applied for re-evaluation, unhappy with scores and pipeline chaos that led to massive distress for students and teachers alike.

The CBSE’s assurance that digital logs would enhance transparency and traceability, by recording who marked what and when, ignored a more important question: is the system secure? The ease with which it was hacked has thrown the entire marking process into doubt, raising all sorts of uncomfortable questions. Who insisted on transitioning to this new system in such a hurry? How was the vendor picked? Were there bad actors at play? How does the CBSE vouch for the sanctity of these results?

While many universities and education boards have indeed digitised evaluation, none made the shift so hurriedly or on such a massive scale. Most largescale deployment occurs after years of pilot testing, capacity building, contingency planning and strengthening of infrastructure.

The UK’s AQA (Assessment and Qualifications Alliance), for example, evaluates 13 lakh students through OSM, with 60,000 trained evaluators, which is 200% higher the number CBSE engaged for a far larger cohort. CBSE’s rushed effort, with ill-equipped evaluators and unstable IT infrastructure, was a recipe for disaster.

CBSE’s selection of assessment agency is also highly deplorable. Coempt Edutech (formerly Globarena Tech) was awarded the contract in August 2025, giving it less than 06 months to develop, test, train and deploy a mission-critical system.

Opposition leaders, including LoP (Lok Sabha) Rahul Gandhi, have highlighted the company’s tainted record. In 2019, the evaluation for Telangana’s intermediate public examination was outsourced to Globarena. Marking errors, including being marked absent for the exam, led to a tragic number of suicides.

Given this assessment partner’s record, one wonders about the integrity of the due diligence exercise on the technical, security and ethical grounds. CBSE has not disclosed the selection or bidding criteria, who the other bidders were and why a tainted vendor was picked over the others, if any were in the fray. The delayed and sketchy commencement of evaluator training is another red flag. If the contract was awarded in August 2025, why did training begin in early 2026?

CBSE found itself in a utter dismay, after a 19-year-old student, Nisarga Adhikary from Siliguri, West Bengal, hacked into the OSM portal on 25th February 2026. “I got curious”, he said, speaking to Money Control. “They had rolled out a new portal (http://cbse.onmark.co.in) for digital evaluation of copies. I started looking around and found the domain. Teachers were already using it and there were videos about it online”. He has examined the website’s publicly accessible JavaScript files and located the master password through a simple keyboard search: Ctrl+F. What he found inside was, in his own words, ‘horrible’.

In a public blogpost, the teenager Nisarga Adhikary has flagged five critical vulnerabilities ‘from authentication bypass to full account takeover’:

• Anyone could log in as an examiner using publicly obtainable school codes and a master password ‘leaked in the front-end’

• OTP validation was reduced to ‘pure theatre’ with the ‘secret’ given directly to the browser

• No ‘route guards’ made it a ‘walk-in’, so you could access any internal page with no authentication at all

• Since no current password was ever verified, you could change it to any new password you liked

• A catastrophic vulnerability at the architectural level—Insecure Direct Object Reference—meant anybody could take over any examiner’s account, view assigned answer papers, and alter marks

‘At the scale of a national board exam’, Nisarga wrote, ‘the integrity implications speak for themselves’.

When he reported the vulnerabilities to CERT-In (Computer Emergency Response Team-India) that very day, they asked for details and video proof and assured him that it was taking up the issue with CBSE. While some flaws pointed out by him were indeed fixed, others were not addressed at all.

In May, Nisarga discovered another vulnerability that exposed usernames, passwords and bank details of evaluators. Once again, he reported the issue to CERT-In. This time, he received only an email acknowledgement.

On 26th May, the Internet Freedom Foundation (IFF) posted on “X”, “When a national board exam system can be hacked this easily, the question is no longer just cybersecurity. It becomes a question of fairness, trust and the future of millions of students”.

The IFF has written to the secretary, department of school education and literacy and the director-general, CERT-In. It has sought a ministerial investigation into the CBSE’s procurement, deployment and operation of the OSM portal, a review of the contract with the vendor and his liability, immediate remedial measures including a forensic review of the evaluation of class 12 results and an independent public audit and publication of its findings.

CBSE was so deeply in denial, it initially denied that the portal was live, that Nisarga had hacked a dummy site. When he pointed out that the domain was shared in official CBSE communications to students, the portal was quietly retired.

Team Maverick.