New Delhi: Earlier on June 1, a fire broke out at a government building. Several news outlets and a prominent news agency reported that it broke out in an office of the Ministry of Education. Later, the ministry clarified that it was at the School of Planning and Architecture, and not the education ministry’s offices, that the fire broke out. But by then, several opposition politicians and commentators on social media had already wondered aloud whether key documents connected to the crisis in the online marking system of the Central Board of Secondary Education are likely to be burnt in the fire.Yet others noted how the future of lakhs of children has already gone up in flames.In the last few days, the CBSE’s struggles against criticism of its online marking system have been amplified by the fact that it is the work of teenagers that has shed light on it.VulnerabilitiesNineteen-year-old ethical hacker Nisarga Adhikary, who wrote the CBSE Class 12 exam this year, claimed on May 22 that he was able to access crucial servers of the boar’s On-Screen Marking system portal. In multiple interviews, Adhikary has noted that he had alerted CERT-In of these vulnerabilities in February itself but many of them – if not all but one, he says in his interview to Newslaundry – remained unattended to, despite the nodal government agency charge of cybersecurity incidents acknowledging his email.In his widely shared blogpost, titled ‘Exposing Critical Vulnerabilities in CBSE’s On-Screen Marking Portal: From Authentication Bypass to Full Account Takeover’, Adhikary notes that to log in as a specific examiner, all that an attacker needs is a target’s user ID and school code, both of which are publicly obtainable, and the master password, sitting in a JavaScript file which anyone can download. But this is not the only vulnerability, Adhikari noted.“Every one of these vulnerabilities traces back to the same root mistake: putting secrets and security decisions in code that runs on the user’s machine,” he wrote.On May 31, again, Adhikary wrote in X that answer sheets stored on an Amazon Web Services (AWS) bucket – a cloud storage container for files like documents, images, and data – were publicly accessible online.“CBSE people didn’t configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answer sheets & question papers,” Adhikary said. His post had screenshots of some answer copies as well.On the same day, Sidharth Sharma, who is reported to be a Class 12 student, wrote on X about security flaws on “almost every single OnMark portal” built by the Hyderabad-based Coempt EduTeck Private Limited. Sharma’s blog is titled ‘Exposing the Lies Behind CBSE’s OnMark Portals.’Sharma wrote on X: CBSE is lying to you about the safety of student data. We found default passwords, URL-based RCEs, and raw MD5 hashes. Millions of students are at risk.”almost every single OnMark portal built by EduTek is fundamentally insecure, and CBSE is lying to you about the safety of student data.we found default passwords, URL-based RCEs, and raw MD5 hashes. millions of students are at risk.read the blog here: https://t.co/D4CXnIadmd pic.twitter.com/fEvMyIw7pG— sidharth (@sidharthify) May 30, 2026A key claim by Sharma was that “the password for a superadmin account with full read/write access to national exam data” was “literally 123456.”CBSE responded after a few hours to say that it was “closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain.”It claimed that an “expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well as the IITs to fortify these systems, including taking them over to a more secure set up.”While it claimed that the “identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out,” it is yet to make its verification and re-evaluation portal live.At 2 pm on June 1, it said it will go live “soon.” The portal is necessary for students who have sought reevaluation after a controversial and fraught process of on-screen marking against which even CBSE evaluators have spoken out against.Tendering processMeanwhile, another blog, by 17-year-old Sarthak Sidhant, in which the teenager reviewed tender documents on the Central Public Procurement portal alleges that CBSE played fast and loose with eligibility and technical requirements across three successive tender rounds so that it ultimately led to Coempt EduTeck Private Limited winning the bid to become the service provider for its OSM system.Titled ‘How CBSE rewrote rules to favour Coempt EduTeck’, Sidhant took his blog live on May 29, writing on X that “CBSE has systematically rewritten its rulebook to favor Coempt Eduteck.”A 17-year old having more courage, skills, and love for the nation than many big news corporations and their multiple award winning journos combined. https://t.co/RNVTJq297F— वरुण 🇮🇳 (@varungrover) May 30, 2026 Sidhant’s blog notes changes across three rounds of Requests for Proposal.Crucially, in a new RFP, Sidhant says in his blog, the older requirement of not entertaining bids from firms which had once been blacklisted was changed to those which were “currently blacklisted”.Sidhant also held that he found that Coempt had only just cleared the Rs 50-crore turnover bar of the tender and listed multiple other discrepancies in the tendering process.GOOOOD MORNINGGGGG CBSEEE @cbseindia29can you please explain why:1) in the may tender, the financial years were FY21, FY22, FY23 and limit set to 50 cr> where coempt fails, by 14.83% margin.> coempt does not ask to decrease the budget in PBC> coempt did not ask to… pic.twitter.com/6FOXloWffS— Sarthak Sidhant (@sidhant_sarthak) June 1, 2026A Hindustan Times report notes that while the CBSE is likely to penalise Coempt EduTeck after the attention, it is unlikely to be able to blacklist it because such a clause is not written in its contract.The report finds:“The tender, issued on August 28, provides for a raft of cascading financial penalties pinned on redressal timelines — including a fine of Rs 1 lakh for every 15-minute delay in rectifying an issue after a CBSE official flags it to the helpdesk — blocked security deposits and contract terminations.”“However, the contract does not contain provisions to blacklist the company for such lapses.”This criterion too was removed in a corrigendum issued on September 20, 2025, months before Coempt Edu Teck was awarded the contract on December 5, the report says.The Wire has not been able to independently verify any of these claims.‘Answer sheet not mine’A third teenager has been instrumental in pulling the veil off the CBSE’s performance. Delhi-based student Vedant Shrivastava’s post on X, in which he spoke of discovering that the Physics answer sheet uploaded by the CBSE was not his made ripples.He was called “Pakistani” for voicing his concerns, by a prominent anchor, but Shrivastava’s tweet led to a plethora of complaints coming up on the same issue, bringing it under national spotlight.Social media now is full of exhortations and request to the government to pay heed to the situation. “Because of blurry OSM sheets, crashing portals, overcharging and faulty marking, our board percentages are ruined. College admissions have already started and JOSAA counselling is about to begin lakhs of us may have to drop an entire year,” a purported student wrote.Another commentator noted the flaw in this plan: “Students are uncovering marksheet errors. Students are exposing alleged vulnerabilities in the OSM system. Students are scrutinising the tender process. When students are forced to become investigators and auditors of their own exam process, something is seriously wrong.”