SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
▣ Breach CBSE-WEBSITE-HACK 2026-06-01

CBSE: Teen Researcher Exposes OSM Portal Vulnerabilities

"A 19-year-old ethical hacker from West Bengal, Nisarga Adhikary, has publicly demonstrated unauthorized access to a portal linked to India's Central Board of Secondary Education (CBSE) for the second time, running the…"

A 19-year-old ethical hacker from West Bengal, Nisarga Adhikary, has publicly demonstrated unauthorized access to a portal linked to India's Central Board of Secondary Education (CBSE) for the second time, running the viral "Bad Apple" animation on a CBSE-linked dashboard as proof of concept. CBSE has rejected claims of a breach to its production environment, insisting the affected system was a testing platform with sample data, even as Adhikary maintains the underlying vulnerabilities remain serious and unaddressed.

What Happened

On May 30, 2026, Adhikary, a Class 12 student and self-described cybersecurity researcher, published videos and screenshots showing the monochrome "Bad Apple" animation rendering on a CBSE-linked dashboard. He claims this is his second successful intrusion into infrastructure tied to CBSE's On-Screen Marking (OSM) evaluation ecosystem. According to Adhikary, he had previously disclosed multiple vulnerabilities to CERT-In and other authorities months prior, but the issues were not remediated. CBSE responded by characterizing the affected system as a non-production testing portal containing only sample data, denying that any live evaluation infrastructure was compromised.

What Was Taken

No confirmed exfiltration of student records, answer sheets, or evaluation data has been reported. The demonstration was a visual proof-of-concept rather than a data theft event. However, Adhikary asserts the discovered flaws could permit unauthorized access to examiner accounts, password resets, and modification of student marks if exploited maliciously. The dispute between the researcher's claims and CBSE's official statement leaves the true blast radius unresolved, particularly regarding whether the testing portal shared credentials, code paths, or trust relationships with production systems.

Why It Matters

CBSE administers board examinations for tens of millions of students across India, and the integrity of its evaluation system has direct consequences for university admissions, career trajectories, and public trust in centralized education infrastructure. The incident arrives mid-rollout of the OSM digital evaluation platform, which is already under fire for answer-sheet mix-ups, blurred scans, portal crashes, and roughly 20 reported evaluation discrepancy cases. A denial-first posture from a public-sector body that publicly contradicts a researcher's verifiable demonstration is itself a threat-intelligence signal: it suggests vulnerability disclosure channels (including CERT-In escalation) are not being operationalized into remediation.

The Attack Technique

Specific exploitation details have not been publicly released, but the researcher's claims point to authentication and authorization weaknesses in the OSM ecosystem, including potential examiner account takeover, password reset abuse, and unauthorized write access to evaluation records. The ability to render arbitrary content (the "Bad Apple" animation) on a dashboard suggests either stored cross-site scripting, an unauthenticated file upload primitive, or direct server-side write access to a hosted asset. The recurrence of access after a prior incident indicates that patching, if any, was incomplete or did not address the root cause across the testing and production environments.

What Organizations Should Do

  1. Treat researcher disclosures as time-bound obligations. Establish a vulnerability disclosure program with enforced SLAs and an executive escalation path when CERT-In or equivalent national CERTs route reports.
  2. Audit parity between testing, staging, and production environments. Testing portals with "sample data" frequently share authentication backends, code, or network trust with production and must be hardened identically.
  3. Enforce strict content security policies and disable arbitrary file uploads or HTML rendering on internal dashboards to remove the most common stored-XSS and content-injection primitives.
  4. Require multi-factor authentication and rate-limit password reset flows for any account capable of modifying student records, grades, or evaluation data.
  5. Conduct independent third-party penetration testing of evaluation systems prior to high-stakes processing windows, and publish remediation status to stakeholders.
  6. Replace denial-mode public communications with a coordinated disclosure response. Acknowledging scope and remediation timelines reduces reputational damage and disincentivizes adversarial public proof-of-concepts.

Sources: 19-Year Old Hacks CBSE Website, 2nd Time; CBSE Still Clueless, In Denail Mode - Trak.in