Inside the CBSE OSM Cyberattack │A Technical Breakdown of the June 2026 Incident

Isharth Kumar
Isharth Kumar
(Intern) Policy & Advocacy, CyberPeace
PUBLISHED ON
Jun 5, 2026
10

Introduction

On June 2nd, 2026, even as thousands of Class 12 students across the nation flocked to submit re-evaluation and verification applications on the CBSE’s newly rolled-out On-Screen Marking (OSM) portal, a decidedly different kind of visitor had logged in an attacker carrying automation scripts, botnet traffic, and malicious intentions to either shut the system down or steal its contents. The attack, which CBSE then openly reported on its official X account, flooded the portal with 1.5 million hits in two minutes and sent over a lakh unauthorized file access attempts.

Understanding the Attack Architecture: The Two-Pronged Operation

The CBSE cyberattack was actually not a single exploit but rather a layered, orchestrated attack. The attack can be understood in two prongs:

  1. The DoS Attack:Firstly, attackers initiated a large-scale DoS (Denial of Service) attack, producing approximately 1.5 million requests in 120 seconds, or approximately 12,500 per second, in order to saturate the server. By overloading the systems with bogus requests, the attackers sought not just to disable the site but also to throw off security personnel from their primary task of stabilizing the portal during its launch period.

The File Probing: These attacks usually include the following methods:

  1. Path Traversal Attacks - Attackers will attempt to navigate outside of the current directory by supplying inputs such as "../../etc/passwd" in URL parameters or in a file upload. 
  2. Forced Browsing / Directory Enumeration - An attacker may have used tools to attempt to find vulnerable files and directories like answer sheets, exam scans, student identification documents, and admin-related files by systematically guessing names.
  3. API Endpoint Fuzzing: If any REST or GraphQL API was present for the portal, the attacker may have tried sending a various number of inputs to parameters to attempt to retrieve records, find IDORs, or escalate privileges. 
  4. Session Token Harvesting - For high-load environments, some systems may use insecure session management. Attackers would attempt to predict or guess the token to hijack another student's or administrator's session.

Why Are Educational Portals High-Value Targets?

Here's why the Indian education sector is an attractive target for cyber-attacks:

  1. Concentrated PII: Millions of students are present on these education portals, and their data (names, birth dates, Aadhaar linkage information, parents' details, address, education profiles, etc.) is of the highest value on the dark web and can be used for identity theft, financial fraud, credential reuse, and targeting.
  2. Low Investment Relative to the Data Value: The education system is chronically under-invested in cybersecurity. Many of these systems were built for a function/scale, rather than security by design, and are highly vulnerable.
  3. High-Pressure Launches: Launching a massive, public-facing system like the CBSE OSM verification site that needs to service millions of students on day 1 often requires time constraints that preclude proper penetration testing, stress testing, security auditing, or staged deployment; these launches often launch with numerous known security flaws.
  4. Large Attack Surface: The education ecosystem is comprised of many integrated systems, APIs, cloud instances, third-party systems, and authentication infrastructure. Each dependency increases the overall attack surface and provides multiple potential avenues to compromise these systems, such as IDOR, API abuse, or credential-based attacks.
  5. Geopolitical Motivation: Following the Op Sindoor attack in 2025, there was a significant increase in public institutions targeted by cyber-attacks with prolonged DDoS against critical systems. Highly visible, public-facing student portals catering to more than 35 million students make a tantalizing target for both nation-state attackers and hacktivist groups to cause disruption or gather intelligence.

The CBSE's Response

A balanced perspective on CBSE's public response is necessary:

  1. The portal did not go down and served about 14000 users at any point during the attack and had over 28000 successful submissions by 10pm June 2nd.
  2. In real-time, sessions are continuously being optimized for the students, and session timeouts are being extended.
  3. Management was on top of the situation and maintained good communication through social media.

To withstand a sustained attack volume of roughly 12,500 requests per second, CBSE would surely need more than one security control implemented on its infrastructure. In all probability, rate limiting was the primary reason it could sustain this attack volume by limiting the requests from an IP or client over a certain period of time and automatically aborting requests from systems sending automated data. This, coupled with perhaps load balancing, will distribute the attack across several systems, none of which will have become bottlenecks. Finally, it is possible that traffic could have also been routed via a Content Delivery System (CDN) or dedicated DDoS mitigation service capable of detecting and cleaning requests of malicious code before they even reach the origin servers.

Technical Recommendations

It is not sustainable for India's exam infrastructure to continue operating in a post-breach, patching-in mode forever. The systems need to embrace Privacy By Design (PBD) as an integral part of their DNA. Here are suggestions for short-term hardening and long-term resilience:

  1. Deploy a zero-trust file access architecture: Each request to access any file should be authenticated, authorized using role-based access control (RBAC), and logged in an immutable audit trail. Direct access to file paths should not be permissible; rather, pre-signed, time-limited tokens are recommended to control file access.
  2. Implement a multi-layered DDoS mitigation architecture: A combination of network edge traffic scrubbing (CDNs & DDoS mitigation services) along with rate limiting at the application layer via WAF is necessary. An Anycast-based multi-PoP architecture and pre-provisioning scrubbing capacity may further increase resiliency
  3. Conduct pre-launch penetration testing and red teaming exercises: Penetration testing with OWASP Top 10 audits, API security reviews, and load-based penetration testing should be conducted by CERT-In empanelled auditors prior to the launch of the examination. The red team exercise should simulate blended DoS and file-probing attacks.
  4. Secure Payments: The secure payment surface should support PCI-DSS Level 1 certified payments and tokenisation and employ velocity checks against automated abuse and support 3D Secure 2.0 (3DS2) on card payments.
  5. Implement SOC: Security operations centers (SOCs) should have real-time access to CERT-In threat feeds and ISAC intelligence, allowing them to act quickly on emerging attack vectors before anything malicious can be exploited.
  6. Encryption: Students' data should be encrypted with AES-256; keys should be stored separately in a Hardware Security Module (HSM) system and not co-located with the data storage system. Student data must also support the data minimisation principle, while storing it should be encrypted with AES-256 and keys should be stored securely in HSM.
  7. Monitoring: 24/7 SOC monitoring, ongoing vulnerability scanning on all pipelines, anomalous detection baselining, and frequent tabletop exercises for cyber resilience at 24x7 and post-examination activities.

Beyond the Breach: Governance, Accountability, and the Growing Cyber Threat to India's Education Sector

The CBSE attack is merely one example of a wider truth, a truth that extends beyond an isolated security event and highlights security as not only an issue of governance but of national security. Although it was during a period in which there was considerable change in leadership within the CBSE (some officials had been removed from their positions), and although it may be impossible to prevent administrative change, security vulnerability is an inherent risk when it cannot be ensured that the new incumbents have had knowledge transferred from the previous administration in terms of system design, vendor management, configuration, and incident response procedures. It has become apparent that a requirement for digital system governance must be considered to be just as serious a requirement as an academic and administrative governance requirement.

The attack is also indicative of a wider problem, and in 2025 there were in excess of 265 million cyber-attacks, and increasingly, critical infrastructure is being attacked by all manner of actors, including criminals, hacktivists, and state-sponsored groups. Educational institutions offer a prime target due to the amount of personal data held within their systems and the historically low security investment they tend to have. Worldwide trends that support the similar narrative of "data of immense value protected by under-resourced programs" (universities hit by ransomware and mass student data breaches included) are being constantly illustrated. For an examining body of tens of millions of students, cybersecurity cannot be an afterthought and needs to be clearly addressed within the governance and risk-management framework of the institution and, therefore, become a fundamental pillar of public trust.

Conclusion

The June 2026 cyberattack on the CBSE's OSM portal both illustrated the advancing capabilities of today's threat actors and highlighted the critical role cyber resilience must play in India's education sector. A high-volume DoS attack combined with over 100,000 file access attempts indicates a concerted and strategic operation both for disruption and the opportunity for data theft. Though the CBSE's infrastructure did hold, the attack should not offer comfort. Educational institutions are responsible for a significant amount of sensitive personal data, and they are major targets to state-sponsored and financially motivated attackers. Attacks are bound to continue. It is essential that cybersecurity become a fundamental pillar of the governance and trustworthiness of education and not a technical afterthought.

References

  1. CBSE Official Statement on Cyberattack, X (formerly Twitter), @cbseindia29, June 2, 2026.
  2. Indian Express, "CBSE OSM Row: Portal attack was a 'coordinated, two-pronged operation' says cybersecurity expert," June 3, 2026.
  3. Srinivas L, Joint MD & Joint CEO, 63SATS Cybertech (subsidiary of 63 moons technologies limited), was quoted in Indian Express, June 3, 2026.
  4. The Federal, "CBSE re-evaluation portal faces cyberattack, records 1.5 million hits in two minutes," June 2, 2026. https://thefederal.com
  5. CERT-In (Indian Computer Emergency Response Team), Empanelled Security Auditor Framework. https://www.cert-in.org.in
  6. OWASP Top 10 Web Application Security Risks, 2021 edition. https://owasp.org/www-project-top-ten/
  7. National Institute of Standards and Technology (NIST), Zero Trust Architecture (SP 800-207), August 2020. https://doi.org/10.6028/NIST.SP.800-207
  8. Indian Express, "What CBSE ignored: Its own panel found glitches in dry run, said delay OSM by a year," June 3, 2026.
  9. Asianet Newsable, "CBSE Class 12 re-evaluation portal withstands major DoS cyberattack," June 2, 2026. https://newsable.asianetnews.com
PUBLISHED ON
Jun 5, 2026
Category
TAGS
No items found.

Related Blogs

Cyber Attack Alert! AIIMS Attacked Again
Cyber Attack Alert! AIIMS Attacked Again
The cyber-security systems deployed in AIIMS, New Delhi, recently detected a malware attack. The nature and scope of the attack were both sophisticated and targeted.
10
June 17, 2023

Introduction

In an alarming event, one of India’s premier healthcare institutes, AIIMS Delhi, has fallen victim to a malicious cyberattack for the second time in the year. The Incident serves as a clear-cut reminder of the escalating threat landscape faced by the healthcare organisation in this digital age. In the attack, which unfolded with grave implications, the attackers not only explored the vulnerabilities present in the healthcare sector, but this also raised the concern about the security of patient data and the uninterrupted delivery of critical healthcare services. In this blog post, we will explore the incident, what happened, and what safety measures can be taken.

Backdrop

The cyber-security systems deployed in AIIMS, New Delhi, recently detected a malware attack. The nature and scope of the attack were both sophisticated and targeted. This second hack acts as a wake-up call for healthcare organisations nationwide. As the healthcare business increasingly depends on digital technology to improve patient care and operational efficiency, cybersecurity must be prioritised to protect sensitive data. To minimise cyber-attack dangers, healthcare organisations must invest in robust defences such as multi-factor authentication, network security, frequent system upgrades, and employee training.

The attempt was successfully prevented, and the deployed cyber-security systems neutralised the threat. The e-Hospital services remain to be fully secure and are functioning normally.

Impact on AIIMS

Healthcare services have been under hackers’ radar worldwide, and the healthcare sector has been impacted badly. The attack on AIIMS Delhi’s effects has been both immediate and far-reaching. The organisation, which is recognised for delivering excellent healthcare services and performing breakthrough medical research, faced significant interruptions in its everyday operations. Patient care and treatment processes were considerably impeded, resulting in delays, cancellations, and the inability to access essential medical documents. The stolen data raises serious concerns about patient privacy and confidentiality, raising doubts about the institution’s capacity to protect sensitive information. Furthermore, the financial ramifications of the assault, such as the cost of recovery, deploying more robust cybersecurity measures, and potential legal penalties and forensic analyses, contribute to the scale of the effect. The event has also generated public concerns about the institution’s ability to preserve personal information, undermining confidence and degrading AIIMS Delhi’s image.

Impact on Patients: The attacks not only impact the institutes but also have serious implications for the patients and here are some key highlights:

Healthcare Service Disruption: The hack has affected the seamless delivery of healthcare services at AIIMS Delhi. Appointments, surgeries, and other medical treatments may be delayed, cancelled, or rescheduled. This disturbance can result in longer wait times, longer treatment periods, and potential problems from delayed or interrupted therapy.

aiims

Patient Privacy and Confidentiality are jeopardised because of the breach of sensitive patient data. Medical data, test findings, and treatment plans may have been compromised. This breach may diminish patient faith in the institution’s capacity to safeguard their personal information, discouraging them from seeking care or submitting sensitive information in the future.

As a result of the cyberattack, patients may endure mental anguish and worry. Fear of possible exploitation of personal health information, confusion about the scope of the breach, and concerns about the security of their healthcare data can all have a negative impact on their mental health. This stress might aggravate pre-existing medical issues and impede total recovery.

Trust at stake: A data breach may harm patients’ faith and confidence in AIIMS Delhi and the healthcare system. Patients rely on healthcare facilities to keep their information secure and confidential while providing safe, high-quality care. A hack can doubt the institution’s ability to safeguard patient data, affecting patients’ overall faith in the organisation and potentially leading to patients seeking care elsewhere.

Cybersecurity Measures

To avoid future hacks and protect patient data, AIIMS Delhi must prioritize enhancing its cybersecurity procedures. The institution can strengthen its resistance to changing threats by establishing strong security practices. The following steps can be considered.

Using Multi-factor Authentication: By forcing users to submit several forms of identity to access systems and data, multi-factor authentication offers an extra layer of protection. AIIMS Delhi may considerably lower the danger of unauthorised access by applying this precaution, even in the case of leaked passwords or credentials. Biometrics and one-time passwords, for example, should be integrated into the institution’s authentication systems.

Improving Network Security and Firewalls: AIIMS Delhi should improve network security by implementing strong firewalls, intrusion detection and prevention systems, and network segmentation. These techniques serve to construct barriers between internal systems and external threats, reducing attackers’ lateral movement within the network. Regular network traffic monitoring and analysis can assist in recognising and mitigating any security breaches.

Risk Assessment: Regular penetration testing and vulnerability assessments are required to uncover possible flaws and vulnerabilities in AIIMS Delhi’s systems and infrastructure. Security professionals can detect vulnerabilities and offer remedial solutions by carrying out controlled simulated assaults. This proactive strategy assists in identifying and addressing any security flaws before attackers exploit them.

Educating and training Healthcare Professionals: Education and training have a crucial role in enhancing cybersecurity practices in healthcare facilities. Healthcare workers, including physicians, nurses, administrators, and support staff, must be well-informed about the importance of cybersecurity and trained in risk-mitigation best practices. This will empower healthcare professionals to actively contribute to protecting the patient’s data and maintaining the trust and confidence of patients.

Learnings from Incidents

AIIMS Delhi should embrace cyber-attacks as learning opportunities to strengthen its security posture. Following each event, a detailed post-incident study should be performed to identify areas for improvement, update security policies and procedures, and improve employee training programs. This iterative strategy contributes to the institution’s overall resilience and preparation for future cyber-attacks. AIIMS Delhi can effectively respond to cyber incidents, minimise the impact on operations, and protect patient data by establishing an effective incident response and recovery plan, implementing data backup and recovery mechanisms, conducting forensic analysis, and promoting open communication. Proactive measures, constant review, and regular revisions to incident response plans are critical for staying ahead of developing cyber threats and ensuring the institution’s resilience in the face of potential future assaults.

aiims attack

Conclusion

To summarise, developing robust healthcare systems in the digital era is a key challenge that healthcare organisations must prioritise. Healthcare organisations can secure patient data, assure the continuation of key services, and maintain patients’ trust and confidence by adopting comprehensive cybersecurity measures, building incident response plans, training healthcare personnel, and cultivating a security culture. Adopting a proactive and holistic strategy for cybersecurity is critical to developing a healthcare system capable of withstanding and successfully responding to digital-age problems.

#FactCheck- 2019 Fighter Jet Escort Video Falsely Linked to Iran Delegation
#FactCheck- 2019 Fighter Jet Escort Video Falsely Linked to Iran Delegation
#FactCheck- 2019 Fighter Jet Escort Video Falsely Linked to Iran Delegation
10
April 13, 2026

Executive Summary

Iran’s official news agencies have denied claims that senior officials, including Foreign Minister Abbas Araghchi and Parliament Speaker Mohammad Bagher Ghalibaf, have arrived in Pakistan for talks. A senior official told Iran’s Tasnim News Agency that Tehran is considering Pakistan’s proposal for peace talks, but any dialogue would depend on the United States fulfilling its commitment to halt military actions on all fronts.

Notably, the United States and Iran had agreed to a two-week ceasefire on April 8, 2026, with discussions reportedly scheduled for April 11 in Islamabad. Amid this backdrop, a video showing fighter jets escorting a large aircraft is being widely circulated on social media. Users claim that Pakistan deployed these jets to escort an Iranian delegation into the country.

However, an research by the CyberPeace found the claim to be false. The viral video is not recent and dates back to 2019.

Claim

An X (formerly Twitter) user shared the video claiming that Pakistan Air Force jets were escorting an Iranian delegation into Pakistan.

Fact Check

Reverse image search of keyframes from the viral video led us to a February 18, 2019 report by Radio Free Europe/Radio Liberty. The report stated that the fighter jets were deployed by Pakistan to escort the aircraft of Saudi Crown Prince Mohammed bin Salman during his visit to Pakistan on February 17, 2019.

Further verification led us to the same footage uploaded on YouTube by the channel “SCMP Archive” on July 6, 2020. At the time, Pakistan’s Air Force had described the escort as part of a ceremonial welcome tradition for visiting dignitaries.

Conclusion

The viral claim is misleading. The video does not show Pakistani fighter jets escorting an Iranian delegation amid ongoing ceasefire talks. Instead, it is an old clip from 2019, when Pakistan deployed JF-17 fighter jets to welcome Saudi Crown Prince Mohammed bin Salman during his official visit. There is no evidence linking the video to current geopolitical developments involving Iran and Pakistan. The footage has been taken out of context and reshared with a false narrative to mislead viewers.

Your Guide to Cyber Safe Mahakumbh 2025
Your Guide to Cyber Safe Mahakumbh 2025
10
January 13, 2025

Introduction

The Kumbh Mela is known worldwide as India's most significant pilgrimage and has earned a place on the UNESCO Intangible Cultural Heritage of Humanity list in 2017.  This year, the Maha Kumbh will be held in Prayagraj, Uttar Pradesh, with 40 crore devotees from all over the world expected to attend this momentous event from January 13th  to 26th February 2025. As the world embraces the blessings of digitalisation, people are increasingly relying on the Internet for arranging their travel, booking rooms, and securing accommodations for this grand spiritual journey. 

However, amidst this digital age, where the conveniences offered are manifold, there also lurks the shadow of deceit. Cybercriminals are finding innovative ways to entrap innocent individuals. Fraudulent activities are on the rise, with wrongdoers operating fake websites that promise secure bookings for cottages, tents, and other accommodations for the Mahakumbh event. Like the deceptive mirage that the desert traveller may mistakenly believe to be an oasis, these malicious sites lure pilgrims with the false hope of easy arrangements, only to exploit their trust and commit malicious cyber fraudulent activities. 

Policy and Preventive Measures Taken by Government

This year, the government has taken steps to utilise digitalisation services to enhance the experience of devotees, blending innovation with tradition. However, considering the rise in cyber scams, a dedicated cyber police station has also been established at Maha Kumbh 2025 to address threats such as the misuse of AI, the dark web, and social media platforms. This initiative aims to protect devotees from potential scams.

To strengthen safety measures, a special team of selected officers from across the state has been deployed in Mahakumbh Nagar, Prayagraj, to provide cybersecurity and ensure the safety of pilgrims. A dedicated cyber police station or digital police station will ensure round-the-clock monitoring of cyberspace.

The cybersecurity team has already identified 44 suspicious websites and initiated action against them. To further safeguard devotees attending Maha Kumbh 2025, a large-scale awareness campaign is being conducted to educate users about potential cyber threats.

The Role of Digital Discipline in Navigating the Uncharted Waters of the Internet

As the Yajurveda (ancient Vedic scriptures of Hinduism) reminds us ‘सत्यं चानृतं च सत्यं अभवत्, यदेतत् तपसा तप्यताम्।’. This learning translates into English as "Truth and falsehood are both present, yet truth is purified through intense discipline”. The Mahakumbh is a confluence not just of rivers but of faith and humanity's eternal quest for truth (Satyam). In the digital age, this vigilance extends to protecting ourselves from cyber frauds and scams that exploit the sanctity of occasions like the Mahakumbh. Just as devotees seek purity through holy rituals, we must also embrace Digital Discipline to navigate the confluence of tradition and technology safely.

Here are some Digital Discipline best practices you must follow:

  • Be cautious of fake websites, fraudulent travel agencies, and scam bookings. Always verify legitimacy before engaging in any  transactions.  
  • Stay alert for fake donation requests and only contribute to verified organizations.
  • Be aware of any mis/disinformation and implausible claims surrounding the Mahakumbh event and verify it from authenticated sources. The official website of Mahakumbh is https://kumbh.gov.in.
  • To report any cybercrime or issue, you can report it on the National Cyber Crime Reporting Portal at https://cybercrime.gov.in/, equipped with a 24x7 helpline 1930 that serves as a powerful resource available to the victims of cybercrimes to report their cases.

Conclusion

Netizens worldwide must prioritise Digital Discipline to ensure they are safeguarded from the snares of these cyber miscreants, so that they may safely and joyfully embark on their journey to the Maha Kumbh and receive divine blessings and purity of purpose through the experience.

References

Become a part of our vision to make the digital world safe for all!

Numerous avenues exist for individuals to unite with us and our collaborators in fostering  global cyber security

Awareness

Stay Informed: Elevate Your Awareness with Our Latest Events and News Articles Promoting Cyber Peace and Security.

CyberPeace Corps Induction Workshop
The Missing Link Trust to combat online child trafficking
Cyber Safety Carnival
Safer Internet Day 2023
Indian schools and colleges under digital siege: Massive cyber breach crisis exposed
Over 2 lack cyberattacks, 4 lakh data breaches hit Indian educational institutions in 9 months
Lessons in Cybersecurity Required: 2 Lakh Cyberattacks Shake Indian Education Sector in Just Nine Months
2 lakh cyberattacks, 4 lakh data breaches in Indian educational sector in 9 months

Engagement

Your institution or organization can partner with us in any one of our initiatives or policy research activities and complement the region-specific resources and talent we need.

Discover ways to collaborate
Request for Proposals

Play your part for CyberPeace

Donate to us directly to help us build more pioneering initiatives.

Donate Now