The Central Board of Secondary Education (CBSE) is preparing to impose penalties on its On-Screen Marking (OSM) service provider, Coempt Edu Teck, after vulnerabilities were discovered in the online system used for evaluating Class 12 answer sheets.

The move follows public disclosures on social media that raised concerns about the security of answer scripts and student-related data stored on the platform.Officials familiar with the matter said the Hyderabad-based company could face financial penalties under the provisions of the contract awarded to it in December 2025.

The board has also confirmed that identified weaknesses in the system have now been addressed.Ethical Hackers Post Triggers Security ConcernsThe controversy erupted after 19-year-old ethical hacker Nisarga Adhikary alleged on X that answer sheets and examination-related files were accessible through an improperly configured Amazon Web Services (AWS) storage bucket.In his post, Adhikary claimed, CBSE people didnt configure their AWS bucket properly and now we can paginate enumerate all their media which has 2026 answer sheets question papers, while sharing screenshots that appeared to show answer copies.According to Adhikary, the issue stemmed from the cloud storage buckets root directory being openly accessible.The bucket root was publicly listable, meaning anyone on the internet could see the complete list of files and folders stored inside, added Adhikary.The allegations quickly drew attention online and prompted a response from CBSE.CBSE Says Vulnerabilities Have Been FixedSeveral hours after the claims surfaced, CBSE acknowledged that concerns related to the OSM portal were being monitored.The board stated that cybersecurity specialists from different government agencies and Indian Institutes of Technology (IITs) had been engaged to strengthen the platforms security framework.An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well as the IITs to fortify these systems, including taking them over to a more secure set up.

The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out, CBSE said.While CBSE did not publicly disclose the name of the vendor involved, officials confirmed that corrective action had been taken and that the contractor would face penalties.One official, speaking on condition of anonymity, said, The vulnerabilities identified by the board shows that the there was a....