.png){kind=logo}
More details are emerging about the CBSE evaluation portal controversy, and the situation appears increasingly complex. A high-level expert panel from IIT Kanpur and IIT Madras was appointed to investigate and secure CBSE’s On-Screen (OSM) portal and found that Claude was used to identify vulnerabilities and take over the system.
According to the Economic Times, the CBSE systems were not equipped to defend AI probing attacks. It was also reported that OSM Vendor, Coempt Edutech, lacked the necessary expertise and capability to adequately secure the portal.
Following the findings of the team supported by the Ministry of Electronics and Information Technology (MeitY), CBSE’s OSM data was shifted from a private vendor to Amazon Web Services’ managed government segment.
The OSM system was introduced to digitize the evaluation of Class 12 answer sheets, allowing them to be scanned and assessed online. However, soon after its rollout, students began reporting a range of issues, including missing pages and answer sheets being mixed up between candidates. As these complaints mounted, deeper concerns about the platform's security and reliability started to emerge.
Nisarga Adhikary, a 19-year-old cybersecurity researcher, claimed on the public forum that he detected significant flaws several months before the controversy erupted. The vulnerabilities included password reset, examiner impersonation, and password resets. He trolled the CBSE portal, saying it was ‘one of the easiest hacks of my life,’ requiring no programming language. He alerted CERT-In and several other authorities, who received a cold response and eventually had to make the issue public.
CBSE responded to the allegation made by Adhikary, saying that the site he was referencing was a testing platform containing the sample data, not the actual evaluation portal. The expert panel, however, stayed away from this debate and directed its efforts more towards finding the underlying issues and how Claude and other AI tools can sabotage the security of these important national-level portals.
It remains unclear how much of the problem was known beforehand, whether earlier complaints were adequately addressed, and to what extent security shortcomings contributed to the incident. The episode has raised concerns about the resilience of digital systems that play a critical role in students' academic futures.
However, MeitY has issued an advisory to the government departments about what it describes as a lack of ‘elementary hygiene’ during technology transitions. It has emphasized building security into systems from the design stage rather than attempting to address vulnerabilities after deployment.
