3 min readNew DelhiJun 5, 2026 04:23 AM IST
The Central Board of Secondary Education (CBSE) was forced to delay opening its Post-Result Activities (PRA) portal after an IIT-led review found major cybersecurity vulnerabilities in the Board’s digital systems, senior officials associated with the exercise told The Indian Express.
The PRA portal, the CBSE’s official online platform to help students navigate post-examination procedures, was expected to go live on June 1, but it was not launched until the early hours of June 2. The delay set off fresh questions about the CBSE’s handling of this year’s Class 12 examination.
The portal is now active. However, it is learned that the re-evaluation exercise – the process that is supposed to kick in after a student who suspects errors in the marking of their paper registers a challenge on the portal – is yet to begin.
Sources said the Board has decided not to use the Coempt Edu Teck platform, which powered the On-Screen Marking (OSM) system used during evaluation of the Class 12 papers, for the re-evaluation.
Student and examination data held by Coempt has been migrated to digital infrastructure directly controlled by CBSE, and the re-evaluation workflow will now run through the Board’s own portal.
The cybersecurity review carried out by expert teams from IIT Madras and IIT Kanpur identified at least four vulnerabilities that were classified as “critical” or of “high severity”, an official closely associated with the exercise told The Indian Express.
In addition, at least seven medium- and low-severity issues were identified during the review, the official said.
Story continues below this ad
On May 24, amid mounting complaints over CBSE’s digital evaluation system and technical glitches, Education Minister Dharmendra Pradhan had asked expert teams from the two IITs to assist the Board.
According to the official, the launch of CBSE’s PRA portal was postponed after a third round of cybersecurity testing uncovered the vulnerabilities.
The CBSE did not respond to requests from The Indian Express for a comment.
The audit employed the well-known “red team-blue team” method of testing, in which the “blue” team – comprising the CBSE’s original developers, experts from IIT Madras and the Digital India Corporation (DIC) – was responsible for fixing vulnerabilities, while the “red” team of IIT Kanpur experts tried to break into the system and identify weaknesses.
Story continues below this ad
Four rounds of testing were carried out. After the second round on June 1, officials believed all major issues had been resolved and began preparations to launch the portal. However, a red team exercise conducted later that afternoon uncovered major vulnerabilities again, the official said.
One of the vulnerabilities, according to the official, was a sophisticated access-control flaw that could potentially allow a user logged in with one account to gain access to answer scripts belonging to other students.
Following the discovery, the blue team scrambled to carry out repairs and, after working through the evening, managed to fix the problem.
Around midnight on June 1, after a fourth round of testing found no more significant vulnerabilities, final configuration changes were carried out and the portal was opened around 4 am on June 2.
Story continues below this ad
However, the portal is currently only collecting requests from students, and storing their submissions within the CBSE system. Once the examiner-facing platform is cleared for use, examiners will be assigned answer scripts electronically, the official said.