Analysis of Cybersecurity Deficiencies in CBSE's On-Screen Marking Procurement and Implementation
CBSE 螢幕閱卷採購與實施過程中的網絡安全缺陷分析
Introduction
The Central Board of Secondary Education (CBSE) has transitioned its Class 12 answer script re-evaluation process to an internal portal following the identification of critical security vulnerabilities in the OnMark platform provided by Coempt Edu Teck.
由於發現 Coempt Edu Teck 提供的 OnMark 平台存在嚴重安全漏洞,中央中等教育委員會 (CBSE) 已將 12 年級答卷的重新閱卷程序轉移至內部門戶網站。
Main Body
The procurement of the On-Screen Marking (OSM) system was characterized by a progressive diminution of technical requirements. Following two unsuccessful tender attempts, the August 2025 tender saw a reduction in minimum scanning resolution from 300 to 200 DPI, the removal of robotic scanner mandates, and a lowering of software maturity certification standards. Despite recommendations from the governing body to conduct regional pilots, the system was deployed nationwide within 74 days of the contract award.
螢幕閱卷 (OSM) 系統的採購過程呈現出技術要求逐步降低的特徵。在兩次招標失敗後,2025 年 8 月的招標將最低掃描解析度從 300 降低至 200 DPI,取消了自動掃描機的強制要求,並降低了軟體成熟度認證標準。儘管管理機構建議進行區域試行,該系統在合約授予後 74 天內便在全國範圍內部署。
Investigation into the security certifications submitted by Coempt Edu Teck reveals significant discrepancies. One certificate, issued by Prime Infoserv LLP in November 2023, pertained to a different client (Biju Patnaik University of Technology) and had exceeded its one-year validity period at the time of submission. A second certificate from A3S Tech & Company concerned a temporary application version ('OneX') in a pre-production environment, explicitly noting that production server hardening remained outstanding. Neither document verified the specific deployment intended for CBSE.
對 Coempt Edu Teck 提交的安全認證進行調查後發現顯著差異。其中一份由 Prime Infoserv LLP 於 2023 年 11 月核發的認證,屬於另一位客戶 (Biju Patnaik 科技大學),且在提交時已超過一年有效期。第二份來自 A3S Tech & Company 的認證涉及預生產環境中的臨時應用版本 (''OneX''),明確指出生產伺服器的強化工作尚未完成。這兩份文件均未驗證專為 CBSE 部署的特定版本。
Subsequent technical audits by independent researchers identified severe vulnerabilities. In February 2026, a researcher reported five critical flaws, including a plain-text master password that bypassed two-factor authentication. In May 2026, a second researcher identified a fundamental SQL injection vulnerability. This flaw permitted unauthorized administrator-level access to databases containing student marks, answer scripts, and evaluator banking details. The researcher further contended that hardcoded passwords were reused across multiple client environments, suggesting a systemic failure in client isolation and credential management.
隨後由獨立研究員進行的技術審核發現了嚴重漏洞。2026 年 2 月,一名研究員報告了五個關鍵缺陷,包括一個可用明文主密碼繞過雙因子驗證的漏洞。2026 年 5 月,第二名研究員發現了一個根本性的 SQL 注入漏洞。此漏洞允許未經授權的管理員級別訪問包含學生分數、答卷和閱卷員銀行詳細資料的資料庫。該研究員進一步主張,多個客戶環境重複使用了硬編碼密碼,表明客戶隔離與憑證管理存在系統性失效。
In response to these failures, the Ministry of Education mandated a technical remediation effort involving experts from IIT Kanpur and IIT Madras. While the board has migrated data to its own infrastructure to ensure direct control, it continues to utilize a patched version of Coempt's codebase. Concurrently, CBSE has initiated legal proceedings via the Delhi Police regarding coordinated cyberattacks on its post-result services portal.
針對這些失效,教育部要求由 IIT Kanpur 和 IIT Madras 的專家進行技術修復。雖然委員會已將數據遷移至自有基礎設施以確保直接控制,但仍繼續使用 Coempt 程式碼庫的修補版本。與此同時,CBSE 已透過德里警方,針對其成績公布服務門戶網站遭受的協調網絡攻擊採取法律程序。
Conclusion
The CBSE has effectively terminated the external hosting of its evaluation process in favor of an internally managed, patched system while government investigations into the procurement process continue.
在政府繼續調查採購過程之際,CBSE 已正式停止使用外部託管的閱卷程序,改用內部管理的修補系統。
Vocabulary Learning
The Architecture of Institutional Euphemism & Nominalization
To bridge the gap from B2 to C2, a student must move beyond describing actions and begin describing processes through the lens of high-level abstraction. The provided text is a masterclass in Administrative Obfuscation—the use of precise, cold, and nominalized language to describe catastrophic failure without using emotive adjectives.
⚡ The Pivot: From Verb-Driven to Noun-Driven Prose
At the B2 level, a writer might say: "The board lowered the requirements because they couldn't find a vendor."
At the C2 level, this is transformed into:
"The procurement... was characterized by a progressive diminution of technical requirements."
Analysis: "Progressive diminution" is the surgical replacement of "slowly lowering." By turning the action (diminishing) into a noun (diminution), the author removes the human agent and focuses on the phenomenon. This creates an aura of objective, scholarly distance essential for legal and technical reports.
🔍 Precision Lexis for Systemic Failure
Observe the deployment of specific terminology that replaces generic 'bad' or 'wrong' descriptors:
- "Significant discrepancies" Instead of saying "The certificates were fake/wrong," the author uses discrepancies, which implies a logical mismatch and invites a forensic audit.
- "Production server hardening remained outstanding" This is a high-level technical collocation. To say something is "outstanding" in this context does not mean it is 'excellent,' but rather 'unresolved' or 'pending.'
- "Systemic failure in client isolation" This elevates the critique from a single mistake to a fundamental flaw in the underlying architecture.
🛠 Linguistic Application: The 'C2 Synthesis'
To achieve this level of sophistication, practice The Nominalization Shift. Transform your narrative of an event into a structural analysis of that event:
| B2 Approach (Narrative) | C2 Approach (Structural/Abstract) |
|---|---|
| They didn't check the software properly. | There was a deficiency in the verification protocols. |
| The password was easy to guess. | The system exhibited a vulnerability via a plain-text master password. |
| They moved the data to their own servers. | The board migrated data to its own infrastructure to ensure direct control. |