A Class 12 cybersecurity researcher gained full create, read, update, and delete access to CBSE's production servers. This exploit occurred after CBSE initially denied vulnerabilities and only acknowledged them eight days after public disclosure. The breach reportedly exposed a massive amount of Personally Identifiable Information from another live portal.
How We Got Here
Nisarga Adhikary, a Bengaluru-based researcher, first publicly exposed CBSE's On-Screen Marking system vulnerabilities on May 22, 2026. This public disclosure followed three months of unaddressed alerts to CERT-In, India's cybersecurity agency.
The Numbers
- Nisarga demonstrated shell access to the CBSE production servers.
- He claimed super admin access to the onmark.co.in subdomain, tasked with university exam evaluation.
- Proof included a screen recording of the iconic Bad Apple video playing on CBSE's production site.
- CBSE acknowledged vulnerabilities on June 1, 2026, stating an expert team was deployed.
- Just a day before CBSE's June 1 acknowledgement, Nisarga had flagged another live portal exploit leaking PII.
What Happens Next
🇮🇳 Why This Matters for India
For the millions of students and educators across Tier-2 and Tier-3 cities relying on government education platforms, such breaches erode critical trust in digital infrastructure and data security.
The Take
CBSE's sluggish response to a Class 12 researcher highlights how ill-equipped many large government tech systems remain against persistent threats. The real winners here are tenacious bug bounty hunters, not official cybersecurity agencies.
Source:
MediaNama ↗