Last month, India saw a nationwide outcry, with millions of students posting online on platforms like X about alleged marking discrepancies in their recent Class 12 board exam results. The controversy erupted in mid-May when students such as Vedant, who had recently received his Class 12 board exam results, shared their experiences publicly.
On May 23, Vedant made a post in which he wrote: “I am a CBSE Class 12 student. After receiving unexpectedly low marks in Physics, we applied for photocopies of my answer sheets through the CBSE reevaluation process. Today, we received the copies, and I am shattered because the Physics answer sheet uploaded by CBSE is not mine.”
The allegations levelled by Vedant were grave, as the Central Board of Secondary Education (CBSE) is India’s national-level education body responsible for setting curricula, conducting examinations, and overseeing evaluations across the country. More than 27,000 schools are affiliated with the board.
Soon, other students also began posting their concerns in the comments under Vedant’s post, with allegations ranging from unchecked answers to other discrepancies in the evaluation process.
Around the same time, another post surfaced on X. A user named Nisarga claimed: “I had hacked CBSE’s OSM (On-Screen Marking Portal) in February and had reported the vulnerabilities to CERT-In, but they were unable to patch most of them.” The user also shared a link to a blog detailing the alleged vulnerabilities.
In his blog, Nisarga explained that CBSE is a massive education body governing thousands of schools and conducting examinations for millions of students across India. To streamline the evaluation process, the board had shifted to a digital On-Screen Marking (OSM) system for Class 12 board exams. Instead of checking physical answer sheets, examiners log into an online portal where scanned copies of answer scripts are assigned to them for evaluation.
“Because this platform is used by huge numbers of evaluators and handles sensitive academic data, its security really matters,” he wrote. According to the blog, the platform appeared to have been developed by Coempt EduTeck Pvt Ltd, and the same “OnMark” system was allegedly being used by multiple education boards and institutions.
While examining the system, Nisarga claimed he discovered “several critical vulnerabilities” in the OSM portal that could potentially allow full account takeovers of examiner accounts. “Anyone exploiting these could also tamper with or disrupt the grading process, which directly threatens the integrity of the exam evaluations,” he wrote.
He added that he had reported the vulnerabilities to CERT-In before publishing the blog.
A screenshot from his blog showing an email he sent reporting alleged cybersecurity vulnerabilities on the website.
How did he find the issues?
Nisarga stated that, first, it is important to understand his background. In his blog post, he wrote: “I just finished my Class 12 exams this year. I’ve done bug bounty and security work for fun before, so when CBSE rolled out OSM and I noticed the portal link was completely public, my curiosity got the better of me.”
He further wrote: “I opened the On-Screen Marking portal and started playing around with the HTTP requests and everything else I could see.”
HTTP requests are the basic messages exchanged between a user’s browser and a website’s server whenever someone opens a webpage, logs in, uploads a file, or submits information online. By inspecting these requests, cybersecurity researchers — and sometimes hackers — can understand how a website communicates internally, what data is being exchanged, and whether there are weaknesses in the system’s security protections. If a platform is poorly secured, manipulating these requests can sometimes allow attackers to access restricted information, bypass protections, or interfere with how a system functions.
Further ahead in his blog, he wrote: “The login page asks for three things: a user ID, a school code, and a password, followed by an OTP step. Nothing about that screen looks unusual. The problems only showed up once I stopped looking at the page and started looking at the code behind it.”
According to Nisarga, the alleged problems began with how the website itself was built. He claimed the portal used an Angular-based web application — a common type of modern website where most of the app’s code is downloaded directly into a user’s browser in the form of large JavaScript files. In simple terms, whenever someone opens the website, their browser receives the code that controls how the platform functions.
Nisarga wrote that one of these files was publicly accessible online without requiring any login. He said he downloaded the file, formatted the compressed code into a readable form, and began examining how the system worked internally.
What he allegedly discovered next, he claimed, was far more serious.
“Master password” allegedly exposed in website code
According to the blog post, the website’s frontend code allegedly contained what Nisarga described as a hardcoded “master password” written in plain text. In cybersecurity terms, this would mean a secret password was directly embedded into the website’s public code rather than securely stored on protected servers.
He further alleged that entering this password into the login page could bypass the normal OTP (One-Time Password) verification process entirely. OTP systems are designed as an additional layer of security, usually sending a temporary code to a phone or email before access is granted.
However, Nisarga claimed the system’s OTP protection could allegedly be skipped altogether. According to him, an attacker would only need a user ID and school code — information he said could be publicly obtained — along with the exposed password from the JavaScript file to gain access to examiner accounts.
He wrote that he was allegedly able to access the examiner dashboard, where evaluators review and upload marks.
OTP system allegedly verified inside the browser
Nisarga also alleged that the OTP verification itself was fundamentally insecure because the validation process happened inside the user’s own browser rather than securely on the server.
For ordinary users, this is similar to a teacher handing a student the answers to a test and then asking the same student to grade themselves. According to the blog, the server allegedly sent the OTP code back to the browser during login, meaning anyone inspecting the network traffic could potentially view it.
Because the verification allegedly happened locally on the user’s machine, Nisarga claimed someone could bypass the process without actually receiving the OTP.
“A security control that runs on the attacker’s machine isn’t a control at all,” he wrote.
Internal pages allegedly accessible without logging in
Another issue described in the blog involved the website’s internal navigation system. Nisarga claimed several internal dashboard pages could allegedly be accessed directly by manipulating values stored in the browser.
Browsers commonly store temporary information — such as login sessions or user preferences — in local storage and session storage. According to the blog, changing a few of these stored values allegedly allowed someone to enter internal sections of the portal without proper authentication.
He claimed this could provide access to pages related to evaluation dashboards, examiner profiles, and answer-script management.
Password reset allegedly lacked proper verification
Nisarga further alleged that the platform’s “change password” feature did not properly verify a user’s current password before allowing a reset.
Normally, secure systems require users to first enter their existing password before setting a new one. However, according to his analysis, the request sent to the server allegedly ignored the old password entirely and only required a user ID and a new password.
If true, this could potentially allow attackers to reset another evaluator’s password without knowing their original credentials.
“IDOR” vulnerability allegedly affected the wider system
The blog also alleged the existence of what cybersecurity experts call an “Insecure Direct Object Reference” (IDOR) vulnerability. In simple terms, this happens when a system trusts user-controlled information too much.
Nisarga claimed the platform relied heavily on IDs stored in the browser itself to determine which user was making requests. According to him, simply changing those IDs could allegedly allow someone to impersonate another examiner.
He alleged that combining this issue with the password-reset flaw could potentially lead to complete account takeovers, enabling attackers to access examiner accounts and allegedly alter marks or evaluation data.
“None of this required sophisticated exploitation”
In concluding the section, Nisarga claimed the vulnerabilities did not require advanced hacking tools or highly sophisticated methods.
“None of this required sophisticated exploitation,” he wrote. “The hardest part was reading a JavaScript file and editing a couple of values in DevTools.”
Questions raised over the company behind the platform
Then came another twist. Another student Sarthak Sidhant, in a separate blog post, raised even more serious allegations regarding the company behind the platform.
At the beginning of the blog, the student wrote that the company which developed the CBSE checking platform, Coempt Edu Teck, was previously known as Globarena Technologies before winning the CBSE tender.
The student further alleged that Globarena Technologies was the same company linked to the 2019 Telangana Intermediate examination controversy.
“Globarena’s software failed miserably, and massively,” the student wrote, alleging that over 3.8 lakh students were affected due to missing marks and other systemic discrepancies. The blog further claimed that 23 students died by suicide following the controversy.
The student also alleged that a committee appointed by the Telangana government found that Globarena had never formally signed an agreement with the Telangana State Board of Intermediate Education (TSBIE) for the ₹4.35 crore project. According to the blog, the committee’s report cited “systemic failures, procedural collapse, and glaring negligence.”
The student further claimed that following the controversy, Globarena Technologies later changed its name to Coempt Edu Teck.
he further says Now I think, CBSE should have done their due diligence and spotted this, and should’ve disqualified this company. But, as per my investigation, based on the tender documents I’ve read, I don’t think this was just a mistake. Let me explain.
Since CBSE is a public institution funded by public resources, it cannot simply select any private vendor of its choosing. It must issue a public Request for Proposal (RFP) to invite competitive bids.
This public bidding process ensures transparency in government. Since it is the taxpayer’s money that runs the government, it also prevents bribery.
To understand how the procurement ecosystem was manipulated, look at the timeline of how CBSE kept changing the playing field when vendors failed to clear the bar.
The student further alleged that changes were made to CBSE’s tender process in a way that favoured Coempt Edu Teck.
According to the blog, the first tender for the project was issued on February 4, 2025. The student claimed to have obtained the Request for Proposal (RfP) document for it but alleged that the tender results could no longer be found on the Government e-Marketplace (GeM) portal.
“I scraped all 576 tenders that CBSE has, and I could not find the first tender here,” the student wrote. “It was completely wiped/unlisted from the public portal archive.”
The blog further claimed that a second tender, issued on May 2, 2025, under Tender ID 2025_MHRD_858645_1, was later cancelled. According to the student, four bidders — including TCS and Coempt Edu Teck — participated, but all four allegedly failed the technical evaluation stage.
A third tender was then allegedly issued on August 28, 2025, under Tender ID 2025_MHRD_875046_1. According to the blog, Coempt Edu Teck eventually won this bid, while TCS and Coempt Edu Teck cleared the technical evaluation round.
The student then alleged that the qualification criteria between the older and newer tender documents had been significantly altered.
One of the key allegations concerned the removal of clauses related to poor past performance. According to the blog, the earlier tender document reportedly stated that companies could be disqualified if they had a history of “abandoning work,” “not properly completing contractual obligations,” or facing “financial failures/weaknesses.”
The student alleged that these conditions were removed from the newer tender document.
“In the New RfP, these clauses were completely wiped out,” the blog stated. “For the board, a track record of poor performance didn’t matter anymore.”
The student further claimed that if the earlier clauses had remained, Coempt Edu Teck’s alleged past operational history as Globarena Technologies during the Telangana Intermediate examination controversy “would have been a massive legal hurdle for their qualification.”
The student also raised questions about the financial eligibility conditions in the tender process, particularly the ₹50 crore turnover requirement.
According to the blog, the Request for Proposal (RfP) mandated that bidders must have an average annual turnover of at least ₹50 crore over the previous three financial years specifically from digital examination and evaluation services.
The student wrote that three companies participated in the final tender process: Tata Consultancy Services (TCS), Rankguru Technology Solutions, and Coempt Edu Teck.
He claimed that while TCS comfortably exceeded the requirement due to its size as a multinational company, Rankguru Technology Solutions allegedly reported a three-year average turnover of ₹117.56 crore.
However, the blog focused particularly on Coempt Edu Teck’s finances. According to the student, the company’s independent financial statements showed revenues of ₹32.1 crore in March 2023, ₹52.7 crore in March 2024, and ₹67.8 crore in March 2025 — giving it an alleged three-year average turnover of ₹50.86 crore.
The student described this as a “razor thin margin,” alleging that the qualification threshold appeared unusually close to Coempt’s financial position.
He further claimed that during the pre-bid clarification stage of an earlier tender, another company, Shree Info Solution, had allegedly requested CBSE to reduce the minimum turnover requirement to ₹30 crore in order to encourage broader competition. According to the blog, CBSE rejected the request.
“They did not want small players, but apparently, Coempt, who qualified it by a very thin margin, qualifies for it,” the student wrote.
The blog alleged that the eligibility rules appeared designed in a way that excluded smaller competitors while still remaining accessible to Coempt Edu Teck.
Questions over changes in software quality standards
he student also alleged that software quality requirements in the tender process were relaxed between the older and newer RfP documents.
The blog referred to CMMI (Capability Maturity Model Integration), an internationally recognised framework used to assess the maturity and quality standards of software development companies. Higher CMMI levels generally indicate more structured and advanced development processes.
According to the student, an earlier version of the tender allegedly required companies to meet CMMI Level 5 standards. However, the newer tender document allegedly reduced the requirement to CMMI Level 3.
The student pointed to a previous media article about Coempt Edu Teck that reportedly described the company as being certified at CMMI Level 3.
“You won’t believe the CMMI requirements in the old RfP,” the student wrote, alleging that the standards were later relaxed in the revised tender process.
Allegations over changes to the “cooling-off” period
The student also questioned changes made to what is commonly known as a “cooling-off” period in the tender’s business ethics clause.
According to the blog, the older Request for Proposal (RfP) reportedly stated that engaging with former board officials could be treated as a corrupt practice for up to two years after an official retired or resigned from service.
However, the student alleged that the revised tender document reduced this restriction period from two years to one year.
“In the old RfP, the ‘business ethics’ clause dictated that engaging with former board officials would be deemed a corrupt practice up to two years after the official retired or resigned,” the student wrote. “The new RfP halved this window to just one year.”
The blog included screenshots that the student claimed showed the relevant clauses from both the older and newer tender documents.
( Screenshot 1)
(Screenshot 2)
The student further questioned the rationale behind the change.
“Wouldn’t shrinking the cooling-off period have made it easier for the vendor to leverage recent insider connections or employ recently retired CBSE officials to influence the bidding process without violating the contract?” the blog stated.
Broader allegations over the tender process and evaluation system
Across the blog posts, the students alleged that CBSE’s newer tender process for the On-Screen Marking (OSM) platform was systematically altered in ways that benefited Coempt Edu Teck while weakening technical, security, and quality safeguards.
The allegations claimed that project qualification criteria were changed from requiring experience handling examinations involving large numbers of students to broader metrics based on cumulative answer-book volumes — a shift the students argued favoured companies with numerous smaller contracts.
They further alleged that infrastructure requirements were diluted. According to the blogs, earlier tender conditions requiring bidders to own dedicated data centres and maintain local server infrastructure were removed, while software ownership requirements were relaxed to permit proprietary platforms such as Microsoft IIS. The students argued these changes allegedly made it easier for Coempt Edu Teck’s existing infrastructure model to qualify.
The blogs also questioned modifications to business ethics clauses, including a reduction in the “cooling-off” period for former officials from two years to one year, as well as a corrigendum that allegedly removed CBSE’s power to blacklist vendors for repeated failures.
The students additionally raised concerns about cybersecurity oversight. According to the allegations, the platform was required to undergo Vulnerability Assessment and Penetration Testing (VAPT) audits through CERT-In empanelled auditors before launch. However, the students questioned whether these audits were properly conducted, especially after alleged vulnerabilities were discovered in publicly accessible portions of the platform.
The blogs further alleged that CBSE changed technical evaluation criteria in ways that favoured vendors with a higher number of smaller projects rather than larger and more complex examination systems. They also claimed workforce requirements were reduced, allegedly allowing companies to qualify for maximum marks with smaller specialised software teams.
Questions were also raised about scanning and evaluation quality standards. According to the students, the revised RfP allegedly shifted the penalty structure away from scanning errors and accuracy issues toward delays in operational timelines. The blogs argued that this prioritised speed and volume over precision in the handling of answer sheets.
The students additionally alleged that measurable accuracy thresholds present in older tender documents were removed, while scanner specifications were made less precise by replacing detailed technical requirements with broader terms such as “sufficient scanners.”
In their concluding remarks, the students argued that the cumulative changes reflected a deliberate weakening of safeguards across the tender and evaluation system.
“When you map the timeline side-by-side, a clear pattern emerges,” one of the blogs stated, alleging that the changes affected data security, software standards, evaluation quality, and accountability mechanisms surrounding the examination process.
Taken together, the allegations, technical findings, tender documents, and online investigations painted an extraordinary picture: how few students questioning the examining system’s code — ended up probing the inner workings of India’s most powerful educational board.
