After publicly exposing security vulnerabilities in CBSE’s On-Screen Marking portal, Nisarga Adhikary, a Bengaluru-based cybersecurity researcher who recently completed Class 12, hacked into two of the portal’s domains.
“We were able to get full create, read, update and delete (CRUD) access and shell access to CBSE’s prod servers,” he wrote. After hacking the domain, he further claimed to have access to another subdomain under it: onmark.co.in.
“Another integral onmark subdomain has been pwn’ed, this time we managed to get super admin access of the portal. seems like it is tasked with evaluation of exams at various universities,” he wrote in a following post.
“We managed to play the iconic Bad Apple video on CBSE’s prod site!” he further wrote on X while posting a screen recording of the GIF version of Bad Apple song.
Quick recap: On May 22, Nisarga Adhikary publicly exposed the security vulnerabilities of the Central Board of Secondary Education (CBSE) On-Screen Marking (OSM) system. He posted the blog after CERT-In failed to act to fix OSM’s systems, despite flagging the issue to India’s cybersecurity agency over three months ago.
Read more about the list of security vulnerabilities here: His blog post | MediaNama’s coverage.
How did he gain access to CBSE’s systems? According to his claims, he obtained CRUD and shell access to the CBSE OSM portal. It is an acronym for the following functions: Create, Read, Update, and Delete. “By mastering CRUD operations, developers can effectively manage and manipulate the data in databases, making CRUD a foundational concept in software development,” according to a blog post by GeeksforGeeks.
Similarly, Shell access refers to SSH (Secure Shell or Secure Socket Shell), a network protocol for accessing a computer over an unsecured network, according to TechTarget‘s definition.
Why did they have to hack CBSE’s systems? Because the CBSE officials denied their findings. “Regarding your question about the website being hacked, I completely deny it. I am rejecting this allegation outright. Because exams are being conducted offline so there are no questions of website being hacked,” said CBSE’s Regional Head, Rajesh Kumar Gupta, on camera in an interview with news agency IANS.
In an apparent attempt to demonstrate security vulnerabilities, he accessed CBSE’s backend, uploaded the following content to their database, and archived webpages from https://cbseosm.onmark.co.in/.
- A message displaying the word “PWNED”: In internet parlance, pwned refers to being a victim of hacking or a data breach. Access the archived page here
- A GIF of an Italian brain-rot cartoon character walking into the shadows: You can view the GIF here.
- A YouTube video with the following text: “?? NEPU NEPU NEPU ??” This refers to a song based on a Japanese video game character. Access the archived page here.
- Another YouTube video with the following text: “?? TUNG TUNG SAHUR ??”. Refer to the Wikipedia article for more information. Access the archived page here.
He also shared an archived version of CBSE’s notification (dated February 21 2026), informing school principals about the mock evaluation. The notice included the following URL, which is the same one he originally exposed: https://cbseosm.onmark.co.in/CBSE_Dashboard/.
Also Read:
Click Here For The Original Source.
