Hyderabad: The cybersecurity certificates that the Central Board of Secondary Education (CBSE) accepted as proof that its on-screen marking platform was safe to process nearly 10 million Class 12 answer scripts were issued for a different client’s deployment of the same software, and one of them was nearly two years old when submitted, Hindustan Times reported.
The findings add a significant dimension to the controversy surrounding Coempt EduTeck, the Hyderabad-based company CBSE awarded its on-screen marking (OSM) contract to in December 2025, just 74 days before Class 12 board examinations began.
What the certificates actually covered
Coempt submitted two certificates to satisfy cybersecurity requirements under the August 2025 tender. Both were issued by firms empanelled with CERT-In, as government procurement rules require. But neither covered CBSE’s own deployment of the platform.
The first, issued by Prime Infoserv LLP in November 2023, certified that the OnMark deployment for Biju Patnaik University of Technology (BPUT) in Odisha was free of vulnerabilities, not CBSE’s. By the time Coempt submitted it, the certificate was nearly two years old. Its own validity clause states it lapses after one year or on application changes.
The second, issued by A3S Tech & Company in October 2025, certified an application called OneX – not OnMark – tested against BPUT’s exam domain and a pre-production staging environment. The certificate itself states the content audited was based on a “temporary application version” and recommended that production server hardening still needed to be done.
A cybersecurity professional in the banking and financial services sector, who reviewed the certificates, told HT that the documents were “at variance with standard practices.” Such audit reports, he said, are typically expected to carry granular details on tests conducted, methodologies, risk assessments, remedies and reassessments after fixes. “They are not a generic final certificate,” he said.
Also ReadHyderabad firm at centre of CBSE marking row had messed up 2019 Inter results
The vulnerabilities that followed
The platform those certificates were meant to vouch for was subsequently found to contain a series of critical security flaws.
The first disclosure came on February 25, when Nisarga Adhikary, an ethical hacker who had himself given the Class 12 examinations, reported five critical vulnerabilities in the OSM portal to CERT-In. This included a master password stored in plain text that bypassed two-factor authentication entirely. Only one was patched. The rest persisted until the portal was taken down.
A more consequential breach was reported on May 29. Researcher Tirth Parmar found the portal’s login page was vulnerable to an SQL injection attack – a technique so basic it has topped global web security risk rankings for years, and one the Prime Infoserv certificate had explicitly certified the platform had been tested against.
Parmar said the flaw gave him administrator-level access to hundreds of database tables holding student marks, answer scripts and evaluators’ personal and banking details. He also found hardcoded passwords baked directly into the software, credentials that, he said, appeared to be reused across Coempt’s other examination board clients.
CERT-In has acknowledged at least some of these disclosures to a parliamentary panel, according to people aware of the matter who spoke to HT.
A procurement that lowered the bar
The certificates are the latest detail in a procurement record that shows standards being set and then walked back at each stage.
CBSE floated its first OSM tender in February 2025. No company bid. A second in May drew responses but no firm cleared the technical round. By the third tender in August, the minimum scanning resolution had been dropped from 300 DPI to 200 DPI, the robotic scanner requirement removed and the software maturity certification lowered from the highest international tier to the midpoint.
The contract went to Coempt on December 5.
The board’s own governing body had recommended pilots across all 22 regional offices before any nationwide rollout. None were conducted.
Where things stand
Following the controversy, CBSE has moved all data and answer-script records from Coempt’s servers to its own infrastructure. IIT Kanpur and IIT Madras teams, deputed after Union Education Minister Dharmendra Pradhan intervened on May 24, carried out extensive security reviews, running a “red team” to find vulnerabilities alongside a “blue team” strengthening the code.
Coempt remains involved in a limited capacity, news agency ANI has reported, scanning answer sheets for re-evaluation while the patched version of its code runs on CBSE-controlled servers.
Re-evaluation, covering 63,119 applications as of June 4, is expected to begin next week through CBSE’s own portal. Top CBSE officials have been removed and a one-member government committee appointed to examine the procurement.
Get the latest updates in Hyderabad City News, Technology, Entertainment, Sports, Politics and Top Stories on WhatsApp & Telegram by subscribing to our channels. You can also download our app for Android and iOS.
