A high-level expert panel from IIT Kanpur and IIT Madras, deployed to secure the CBSE’s On-Screen Marking (OSM) portal, has found that powerful AI tools, reportedly Claude, were used to identify vulnerabilities and gain access to the system. The findings, reported by the Economic Times, reveal that the system was not equipped to withstand the kind of AI-assisted probing that has become increasingly accessible. The panel also found that the OSM vendor, Coempt Edutech, lacked adequate capability and conceptual understanding of portal security.
Following the findings and with strong backing from the Ministry of Electronics and Information Technology (MeitY), CBSE’s OSM data was moved from the private vendor to a government-managed segment of Amazon Web Services India.
The OSM system, introduced this year for Class 12 evaluation was meant to allow answer sheets to be scanned and assessed digitally. Almost immediately, students reported serious issues: blurry scans, missing pages and answer sheets that appeared to belong to different students. Upon closer inspection the security problems started surfacing.
Nisarga Adhikary, a 19-year-old cybersecurity researcher, publicly claimed he had found significant flaws in the portal months before the controversy exploded, including vulnerabilities that could allow examiner impersonation and password resets. He described it as “one of the easiest hacks of my life,” saying it required no programming knowledge. He said he reported the issues to CERT-In and other authorities but received an inadequate response before going public.
CBSE responded by saying the site Adhikary referenced was a testing environment containing sample data, not the live evaluation platform. The expert panel, however, was not convened to debate that but to fix the underlying problem and its findings about Claude and other AI tools being used to find entry points go beyond what any particular ethical hacker claims.
The CBSE fallout is part of a wider pattern of cyber pressure on India’s examination infrastructure. One National Testing Agency (NTA) digital portal was hit by approximately 500,000 attempts on the same day, following which the Common University Entrance Test (CUET) was disrupted by technical glitches, preventing over 3,700 students from sitting the exam. CBSE also reported a 3.8 million-packet denial-of-service attack on its portal, which was successfully blocked. The Indian Computer Emergency Response Team (CERT-In) has been asked to conduct a full security audit of the CBSE portal.
In the aftermath, CBSE’s Chairman Rahul Singh and Secretary Himanshu Gupta have both been replaced, with senior IAS officer Lokhande Prashant Sitaram appointed as the new Chairperson. A single-member inquiry committee has been set up to examine the OSM procurement process.
A troubling aspect of the story is how much was known before the crisis. As per a report by Times Now, during a dry run in January 2026, evaluators flagged a long list of problems with the OSM system, including marks discrepancies, no auto-save feature, a non-functional remarks tool, poor interface design and excessive cognitive load. Evaluators reportedly preferred to mark answer sheets manually rather than use the digital system. Senior CBSE officials told evaluators at the time that OSM would only apply to non-academic subjects. It was eventually deployed across all subjects.
MeitY has since issued an advisory to government departments about what it describes as a general lack of “elementary hygiene” in rushed technology transitions, with an emphasis on building security into procurement processes from the design stage rather than retrofitting it.