Signing you in

“We managed to play the iconic Bad Apple video on CBSE's prod site,” Nisarga Adhikary posted on X, claiming he had gained extensive access to servers connected to the board’s On-Screen Marking (OSM) system.

The Bad Apple meme is an iconic internet challenge where the black-and-white shadow-art music video of the song Bad Apple is recreated, coded or ported onto virtually any visual medium. Since it is purely monochrome, Internet users love recreating it on oscilloscopes, in Minecraft and on retro consoles.

Nisarga, a Class 12 student, who previously said he reported multiple vulnerabilities to authorities, alleged that he was able to obtain full create, read, update and delete (CRUD) access as well as shell access to production servers.

“We were able to get full create, read, update and delete (CRUD) access and shell access to CBSE's prod servers. This is disastrous,” he wrote.

Adhikary shared a screen recording showing the popular "Bad Apple" silhouette animation running on a CBSE-linked dashboard page. The clip also displayed the message: “PWNED via SQLi by web hackers :3”, referring to an alleged SQL injection vulnerability. According to the student, the demonstration was intended to highlight weaknesses in systems connected to digital answer-sheet evaluation and examination management.

The claims surfaced amid continuing scrutiny of CBSE’s post-result processes, answer-sheet verification mechanisms and re-evaluation systems used by millions of students.

In an earlier interview with India Today TV, Adhikary said he had identified more than 40 vulnerabilities and reported them through official channels months ago. “I documented multiple vulnerabilities,” he said.

According to him, the issues included authentication weaknesses and access controls that could potentially allow unauthorised users to access examiner-level functions. “The first vulnerability took around 30 minutes. Overall, maybe two or three hours,” he claimed.

The student said he informed government cybersecurity channels, including CERT-In, but received only an acknowledgement. “No reply from CBSE or the vendor, only an acknowledgement,” he alleged.CBSE REACTS

CBSE has strongly disputed the allegations and said claims of a compromise of its On-Screen Marking (OSM) portal are misleading. According to the board, the URL cited in social media posts referred only to a testing environment containing sample data used for internal review purposes.

The board said the actual portal used for evaluation of answer books was different and had not been compromised. It has postponed the opening of its post-result verification and re-evaluation portal to June 1.

CBSE further said no security breach had been detected in its live evaluation system and maintained that strong safeguards and grievance-redressal mechanisms remain in place to ensure the integrity of examinations and assessments.

The controversy came at a sensitive time, with CBSE and other examination bodies facing increasing scrutiny over digital systems, answer-sheet access and concerns raised by students regarding examination transparency.- EndsPublished By: Prateek ChakrabortyPublished On: May 29, 2026 18:40 IST