CBSE Strengthens OSM Security by Engaging IIT Experts Amid Vulnerability Concerns

The Central Board of Secondary Education (CBSE) has taken significant steps to address vulnerabilities in its On-Screen Marking (OSM) platform, which is crucial for evaluating Class 12 board examinations. In response to alarming reports from security researchers and ethical hackers, CBSE has enlisted cybersecurity specialists from IIT Madras, IIT Kanpur, and various government agencies to conduct a comprehensive security assessment of the platform.

Launched in 2026, the OSM portal has faced scrutiny due to allegations of multiple security weaknesses. On May 31, 2026, CBSE acknowledged these vulnerabilities in an official statement shared on X, confirming that remedial measures were already in progress. The board stated, “The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out.”

Decoding the OSM Vulnerability

The controversy surrounding the OSM platform intensified as security researchers and ethical hackers brought several alleged flaws to light. These vulnerabilities raised concerns about the potential exposure of sensitive examination-related data and administrative controls. Among the reported issues were:

• A hardcoded master password allegedly embedded within publicly accessible source code, enabling unauthorized access.
• One-time passwords (OTPs) that were reportedly visible through web browsers without requiring authentication.
• The ability to reset evaluator passwords without proper authorization.
• Potential access to or modification of student marks stored within the system.
• An Amazon Web Services (AWS) cloud storage bucket that allegedly contained scanned 2026 examination records accessible publicly without login credentials.

Ethical hacker Nisarga Adhikary further alleged that scanned answer sheets and question papers stored in the AWS repository could be viewed and downloaded without authentication. These claims heightened concerns regarding the scale and potential impact of the reported OSM vulnerabilities.

CBSE Deploys Expert Teams for Security Audit

In light of these vulnerabilities, CBSE has assembled a specialized team comprising experts from IIT Madras, IIT Kanpur, and the Digital Infrastructure Corporation of India. Their objective is to conduct a thorough audit of the OSM platform and identify any remaining vulnerabilities. According to the board, these security teams have been actively working on the matter for several days. CBSE confirmed that all known vulnerabilities have been contained and that the platform is currently being migrated to a more secure environment as part of a broader strengthening initiative.

The board has also initiated direct communication with some of the security researchers who reported the issues, aiming to foster collaboration and transparency in addressing the vulnerabilities.

CBSE’s Security Measures at a Glance

CBSE’s proactive response to the reported OSM vulnerabilities includes the deployment of cybersecurity teams from IIT Madras, IIT Kanpur, and the Digital Infrastructure Corporation of India. These experts have been assessing the system and strengthening its security framework. The board has reiterated that the known vulnerabilities identified in the OSM portal have been contained, and the platform is undergoing migration to a more secure environment to enhance protection against potential cyber threats.

Moreover, CBSE has engaged directly with some of the ethical hackers and security researchers who highlighted the issues. The board has invited additional inputs from researchers and cybersecurity professionals, requesting that any relevant information or findings be shared with its security team via email.

Board Invites Further Input from Researchers

CBSE has publicly acknowledged the critical role played by ethical hackers and security researchers in identifying weaknesses within the OSM platform. In its statement, the board expressed gratitude to those who pointed out such vulnerabilities and confirmed that they have reached out to some of these individuals directly. The board has encouraged others to contact its security teams for any further insights.

CBSE reiterated that the identified OSM vulnerability issues have been contained while a wider security review is ongoing.

Post-Result Services Begin Despite Security Concerns

Despite the ongoing scrutiny surrounding the OSM platform, CBSE proceeded with the launch of its Class 12 post-result services on June 1, 2026, as scheduled. Students who appeared for the Class 12 board exam can now access post-result services through the official portal and apply for:

• Scanned copies of answer books
• Verification of marks
• Re-evaluation requests

CBSE stated that the portal underwent security hardening measures before becoming operational on June 1. The controversy has also expanded beyond cybersecurity concerns, as student Sarthak Sidhant raised questions regarding the procurement and tendering process associated with the OSM system, adding another layer to the ongoing debate.

For further details on the vulnerabilities and CBSE’s response, visit the cyberexpress.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.