Surprisingly easy to get into system, they probably skipped audit: Ethical hacker claims many vulnerabilities in CBSE OSM portal
Jun 04, 2026
By Vishu Adhana
Rajkot (Gujarat) [India], June 4 : A 22-year-old Btech student and an ethical hacker, Tirth Parmar, claimed that he was surprised to find many vulnerabilities in CBSE's On-Screen Marking (OSM) portal, leaving the database with student information exposed.
Speaking with ANI, Tirth Parmar claims that the CBSE "skipped" the security audit, which left the portal with many critical bugs through which the portal could be hacked.
"It was quite surprising because I was not expecting this many critical bugs. And there was an easy way to get into the system by just downloading the publicly accessible files, which had the passwords of the databases. So there were two ways of getting to the system. One was by guessing the URL, downloading the file, and basically getting the user ID of the databases and connecting to the server. And the other was a chain of multiple bugs, which I have exploited and reported to the authorities," he said.
"I think they have to do a security audit before releasing any version to the public, which I think they have to skipped, and that's why so many critical bugs were found in production," he added.
Explaining how he was able to get into the portal, Parmar said, "There were multiple bugs, like a hard-coded master password, which was the easiest way to get into the system as an admin. And I think they fixed it. But there are many critical bugs like SQL injection, and the few accessible files and APIs are not even working without any kind of authentication. And I was able to retrieve sensitive information without any kind of authentication from that."A
22-year-old student said that he has approached CBSE about the shortcomings of the portal, but hasn't received any response yet.
"Yeah, I have reported, I think multiple times, but I haven't received any response from them yet. They have to fix the bugs which many ethical hackers have contributed and submitted. They have to fix that first and do other security audits as well. And they could basically organise a bug bounty program or vulnerability disclosure program. So it could help," he said.
Warning that any unethical hacker can get into CBSE's database and read records or able to download it, he advised CBSE to ensure safeguards to prevent themselves from such attacks.
"So if someone who is unethical, they can get into the database. They are able to edit or read any records or able to download it, or in the worst case, someone can do a ransomware attack and ask for a big amount of ransom from the government. So there was like 9.3 million records of the students who were at risk," he said.
He urged CBSE to fix the shortcomings of the portal to protect the database.
"I will ask them to fix the issue which we have reported first, and then do a security audit by themselves or ask the other ethical hackers or any contributors as well," he said.
CBSE continues to face mounting pressure following reports of technical failures in its post-result portal and OSM discrepancies in evaluated answer sheets.
