The Central Board of Secondary Education (CBSE) was forced to delay opening its Post-Result Activities (PRA) portal after an IIT-led review found major cybersecurity vulnerabilities in the Board’s digital systems, senior officials associated with the exercise told The Indian Express.

The PRA portal, the CBSE’s official online platform to help students navigate post-examination procedures, was expected to go live on June 1, but it was not launched until the early hours of June 2. The delay set off fresh questions about the CBSE’s handling of this year’s Class 12 examination.

The portal is now active. However, it is learned that the re-evaluation exercise – the process that is supposed to kick in after a student who suspects errors in the marking of their paper registers a challenge on the portal – is yet to begin.

Sources said the Board has decided not to use the Coempt Edu Teck platform, which powered the On-Screen Marking (OSM) system used during evaluation of the Class 12 papers, for the re-evaluation.

Student and examination data held by Coempt has been migrated to digital infrastructure directly controlled by CBSE, and the re-evaluation workflow will now run through the Board’s own portal.

The cybersecurity review carried out by expert teams from IIT Madras and IIT Kanpur identified at least four vulnerabilities that were classified as “critical” or of “high severity”, an official closely associated with the exercise told The Indian Express.

In addition, at least seven medium- and low-severity issues were identified during the review, the official said.

On May 24, amid mounting complaints over CBSE’s digital evaluation system and technical glitches, Education Minister Dharmendra Pradhan had asked expert teams from the two IITs to assist the Board.

According to the official, the launch of CBSE’s PRA portal was postponed after a third round of cybersecurity testing uncovered the vulnerabilities.

The CBSE did not respond to requests from The Indian Express for a comment.

The audit employed the well-known “red team-blue team” method of testing, in which the “blue” team – comprising the CBSE’s original developers, experts from IIT Madras and the Digital India Corporation (DIC) – was responsible for fixing vulnerabilities, while the “red” team of IIT Kanpur experts tried to break into the system and identify weaknesses.

Four rounds of testing were carried out. After the second round on June 1, officials believed all major issues had been resolved and began preparations to launch the portal. However, a red team exercise conducted later that afternoon uncovered major vulnerabilities again, the official said.

One of the vulnerabilities, according to the official, was a sophisticated access-control flaw that could potentially allow a user logged in with one account to gain access to answer scripts belonging to other students.

Following the discovery, the blue team scrambled to carry out repairs and, after working through the evening, managed to fix the problem.

Around midnight on June 1, after a fourth round of testing found no more significant vulnerabilities, final configuration changes were carried out and the portal was opened around 4 am on June 2.

However, the portal is currently only collecting requests from students, and storing their submissions within the CBSE system. Once the examiner-facing platform is cleared for use, examiners will be assigned answer scripts electronically, the official said.

Every examiner will be assigned a specific number of papers.

Rather than reviewing entire answer books, examiners will be shown only the specific questions flagged by students for re-evaluation.

The exercise will be conducted digitally. Examiners will access scanned answer scripts on tablets and award marks in accordance with CBSE’s original marking scheme.

The marks awarded by the original evaluator will not be visible to the re-evaluating examiner. This is intended to allow an independent assessment and reduce the possibility of bias, the official said.

Once the re-evaluation process is complete, revised scores, if any, will be reflected on the CBSE’s PRA portal.

The vulnerabilities identified by the IIT-led teams arose largely as a consequence of coding and configuration practices that failed to adequately account for cybersecurity risks.

“These are basically configuration and coding errors,” the official said. Such vulnerabilities were not unique to CBSE, and were seen across many digital systems, the official said.

Also, these vulnerabilities did not emerge suddenly or specifically in the context of the CBSE’s decision to switch to OSM this year, the official said. “These vulnerabilities have existed for a long time. What has changed is that AI-based tools now make it much easier to find them,” the official said.

It has been reported that AI tools, specifically Claude, were used to detect vulnerabilities in the CBSE’s systems and gain access.

Among the most serious vulnerabilities identified by the IIT-led review was an “access-control” weakness.

For instance, the official said, if a student’s answer script is retrieved using a web address linked to the student’s roll number, inadequate safeguards could allow a user to manipulate the identifier and potentially gain access to records belonging to others as well.  If a student alters that number in the browser address bar and the system lacks proper authorization checks, the URL could point to another student’s answer script, the official said.

The vulnerability discovered during the June 1 testing was a more sophisticated version of such a flaw, the official said.

The IIT-led team separately reviewed the platform of Coempt, and uncovered additional security concerns. The Hyderabad-based edtech company, which was contracted by CBSE to design and manage the OSM platform for this year’s Class 12 exam, was initially expected to support the re-evaluation process. However, Coempt’s only job now will be to re-scan blurry answer scripts for which requests are received, officials said.

According to the official associated with the IIT-led cybersecurity testing of both the CBSE and Coempt platforms, a review of a revised version of the Coempt platform identified three vulnerabilities.

One of them was a “man-in-the-middle” vulnerability, in which communications between a user and a server can be potentially intercepted by an unauthorized third party.

The other two vulnerabilities were described as highly technical, and continue to be addressed. Another round of “red” team testing will be carried out, the official said.

The IIT teams are yet to submit their broader recommendations to the Education Ministry. According to the official, their immediate focus remains on securing the systems and ensuring that the re-evaluation process carries forward safely.

Meanwhile, the counselling process to manage admissions to all IITs, NITs, IIITs, IISc, and many other technical education institutions for the 2026-27 academic year began on June 2.

The counselling, which is managed by the Joint Seat Allocation Authority (JoSAA), will close on June 11.