Dubai-based cybersecurity researcher Rylen Anil revealed critical vulnerabilities in the National Testing Agency’s (NTA) re-examination portal, including a superadmin login bypass using weak credentials. The flaw exposed personally identifiable information (PII) of approximately 7,900 observers, 676 centre coordinators, and 5,400 exam centres, according to medianama.com. The portal also allowed access to admin functions such as exporting data and managing observers.
Anil detailed on X that the superadmin bypass granted access to sensitive dashboard controls, including exporting CSV files, generating appointment letters, and uploading templates and nodal officer mappings. Following his disclosure, the portal URL became temporarily inaccessible, showing a 404 error. However, a screenshot later surfaced showing the site was still publicly accessible on a mobile network. Anil also identified a separate vulnerability in CBSE’s Digilocker portal involving client-side AES encryption with a hard-coded passphrase exposed in public JavaScript files.
These findings highlight significant cybersecurity gaps in key educational portals managed by Indian authorities. The NTA portal’s exposure of large volumes of user data and admin controls raises concerns about data privacy and system integrity. The CBSE Digilocker vulnerability further underscores weaknesses in encryption implementation, potentially compromising student data security. Such breaches could affect millions of students and officials involved in examination processes, emphasizing the need for urgent security audits and remediation.
The vulnerabilities were publicly disclosed on June 1, 2026, by Rylen Anil on X, prompting immediate attention to the portals’ security. At the time of reporting, the NTA re-examination portal’s URL remained intermittently accessible, while no official response from NTA or CBSE had been recorded, per medianama.com.