For two weeks, an IIT expert team worked 16 to 18 hours every day to patch vulnerabilities that were emerging in the CBSE IT ecosystem
The Central Board of Secondary Education (CBSE) invited ethical hacker Nisarga Adhikary, 19, this week for meetings with an Indian Institute of Technology (IIT) expert team to flag security gaps in its IT ecosystem. Mr. Adhikary had last month reported “critical vulnerabilities” in the portal that stores sensitive student data. The CBSE had earlier denied any breach in its data security.
“Nisarga is a bright kid. He found important vulnerabilities. We were curious to understand his thought process. Because he happened to be in Delhi, we exchanged messages and found him very focused on cybersecurity, so we called him in to help us fix the system,” a member of the IIT expert team said.
“It is very important to admit that there is a breach, but earlier CBSE was not properly advised on how to deal with the situation. On the contrary, when the JEE (Advanced) portal had a minor breach, we admitted the flaw and fixed it,” the member said.
Took two weeks to plug gaps
Top cybersecurity experts from the Indian Institutes of Technology, including the Directors of IIT-Madras and IIT-Kanpur, camped at the CBSE headquarters in New Delhi for nearly two weeks starting May 24 to fix the IT ecosystem.
“Top faculty members suddenly had to drop everything and stay put at CBSE for two weeks to patch vulnerabilities in two portals — the on-screen marking (OSM) portal OnMark, developed by private firm COEMPT Eduteck, and the CBSE portal for procuring answer sheets and applying for re-evaluation,” sources in the Education Ministry told The Hindu.
Tech troubles in CBSE
The IIT-Madras team consisted of two cybersecurity experts in addition to Director V. Kamakoti, while the IIT- Kanpur team consisted of Director Manindra Agarwal and a senior cybersecurity engineer.
Sources said that for two weeks, the expert team worked 16 to 18 hours every day to patch vulnerabilities that were emerging in the CBSE IT ecosystem. The team found that the OSM portal developed by COEMPT Eduteck had “a lot of vulnerabilities”, including “seven to eight” critical ones.
“The external vendor [COEMPT Eduteck] had severely misconfigured the cloud storage ‘buckets’ holding the data and kept unsecured backup copies of students’ answer scripts on their own servers. The team had to migrate the data to securely configured buckets,” the expert team member added. “We also asked COEMPT to delete answer script data backups from their servers and they have complied.”
Among the “critical vulnerabilities” that were fixed was an “Authentication Bypass”, which is a flaw that allowed anyone to log into the system without being a genuine student. The second vulnerability provided unauthorised administrative access to the central server. In addition, a ‘Data Exposure’ glitch allowed any logged-in user to extract the answer scripts of students.
“Once code is developed which is insecure, patching it is a herculean task,” the IIT expert explained, noting that changing a single flawed function often has a cascading effect across multiple different places in a massive codebase.
After the CBSE fiasco, an advisory has been issued across departments by the Centre to keep “cybersecurity hygiene” in consideration while hiring tech vendors, sources confirmed.
“Typically, we look at a vendor’s past developments, but we don’t look at it from a security point of view. The current vendor was engaged without the security aspect in mind. Going forward, we must look at their ability to build a secure portal,” a senior Education Ministry official said.
War room set up
To fix the system, the IIT expert team set up a classic “Red Team versus Blue Team” dynamic. The Blue Team — comprising IIT-Madras experts, CBSE developers, and the Digital India Corporation (DIC) officials —modified the code to defend the portals meant for re-evaluation and on-screen marking. The Red Team, consisting of IIT-Kanpur experts, acted as aggressive hackers, constantly trying to breach the system.
“Following four intense rounds of back-and-forth testing, the Red Team finally withdrew after being unable to find any more weaknesses,” Prof. Agarwal, Director, IIT-Kanpur, told The Hindu.
Prof. Agarwal said artificial intelligence tools, including Claude, were deployed to find vulnerabilities in an easier and faster manner.
After operating out of the CBSE headquarters for nearly two weeks, the IIT teams are now preparing to withdraw. They said that ensuring cybersecurity is a continuous process. “If issues come up and we are required, we will come back,” Prof. Agarwal said.
The re-evaluation portal was launched after extensive load management restructuring on Tuesday (June 2, 2026), and the work on securing OSM portal was successfully completed on Thursday evening, with it officially going live on Friday (June 5, 2026), officials confirmed.
The IIT Madras team returned on Thursday (June 4, 2026), while the IIT-Kanpur team will conclude their operations at the CBSE on Friday (June 5, 2026).
CBSE has an in-house team of four to five web developers who were working on the re-evaluation portal, but had “no appropriate guidance”, one of the expert members told The Hindu. The re-evaluation portal was first launched on May 19 but was later shut down after vulnerabilities were detected.
The CBSE had earlier appointed an empanelled auditor from Computer Emergency Response Team (CERT-In), which works under the Ministry of IT and Electronics (MiETY), to identify any cybersecurity loopholes but the auditor “failed to find any major security flaws”, the expert added.
Massive cyberattacks defended
On Tuesday (June 2, 2026) and Wednesday (June 3, 2026), the CBSE portal for re-evaluation faced massive, coordinated standard Denial of Service (DoS) attacks aimed at bringing the systems down, the IIT expert confirmed.
Within a mere two-minute window on Tuesday (June 2, 2026), the system was hit with 13 lakh login attempts. The next day, that number jumped to over 30 lakh attempts.
“While only a few thousand genuine students were trying to access copies at that moment, the attack multiplied the traffic 100 times over to freeze the system. Because of the newly implemented load management, the system held itself together,” the member added.
The IIT expert team will submit a formal report to the Education Ministry in the coming weeks.
Published – June 05, 2026 10:12 pm IST
