# Inside Coempt EduTeck's OnMark Platform: How a Single Vendor Got India's National Board Exams

**An OSINT Investigation by Cashless Consumer**
**Published:** 30 May 2026
**Last updated:** 30 May 2026

---

## Executive Summary

In May 2026, the Central Board of Secondary Education (CBSE) released Class 12 board exam results processed through a new **On-Screen Marking (OSM)** system — the first time digital marking was used at this scale for a national board. The system, built by **Coempt EduTeck Pvt. Ltd.** (formerly Globarena Technologies Pvt. Ltd.), a Hyderabad-based EdTech company, processed answer sheets for **17,80,365 registered students** (17,68,968 who appeared).[^1]

Within days, the results triggered nationwide outrage:

- **Pass percentage dropped** from 88.39% (2025) to 85.20% — the steepest single-year decline in recent memory
- **2.61 lakh students** failed, many questioning the fairness of digitally-evaluated marks
- **Over 4 lakh students** applied for scanned copies of their answer sheets — an unprecedented volume
- A **19-year-old ethical hacker** disclosed critical security vulnerabilities in the evaluation portal, including a hardcoded master password in frontend JavaScript

This investigation traces the full supply chain: how the vendor was selected, the security architecture of the platform, leaked internal code, and the broader pattern of this same platform being reused across state-level examination boards — including the company's disastrous prior deployment in Telangana.

> **Key finding:** No Android or mobile application was involved in the scanning or evaluation pipeline. The system is entirely web-based. The OSINT uncovered leaked internal automation code on GitHub and a student's detailed tender analysis showing how CBSE repeatedly diluted procurement criteria.

---

## Part 1: The Vendor — Coempt EduTeck (formerly Globarena Technologies)

### Company Background

Coempt EduTeck Pvt. Ltd. operates from Hyderabad, India. The company rebranded from **Globarena Technologies Pvt. Ltd.** — a name it carried when it was responsible for one of the most damaging examination failures in Indian education history.

**Registered products:** OneX, Onmark, EzyTest, Learning, Digital Labs, DigiTab[^2]

- **Onmark** is the OSM evaluation platform (web-based, hosted at `*.onmark.co.in`)
- **DigiTab** — possibly a tablet-based solution, but no public APK was found on any app store or analysis platform

**Onmark.co.in** has been live since at least January 2015 (per the Wayback Machine), redirecting to coempt.in since November 2020. The platform is listed as serving "multiple boards & other institutions."[^3]

### The 2019 Telangana Intermediate Exam Fiasco

Before winning the CBSE contract, Globarena (now Coempt) deployed its examination platform for the **Telangana State Board of Intermediate Education (TSBIE)** in 2019. The results were catastrophic:

- **3.8 lakh students** failed due to software errors — missing marks, incorrect calculations, systemic data loss
- **23 students died by suicide** in the aftermath
- A government-appointed committee found Globarena **never signed a formal agreement** with TSBIE for the ₹4.35 crore project
- The committee's report cited **"systemic failures, procedural collapse, and glaring negligence"**[^4]

Despite this history, Coempt was not blacklisted and went on to win the CBSE national contract in 2025.

### The CBSE Tender — Rewriting Rules to Fit

Class 12 student **Sarthak Sidhant** conducted a detailed analysis of the three CBSE tenders for the OSM contract, published 29 May 2026. His findings, supported by official tender documents archived in our evidence collection, show a pattern of progressively relaxed procurement criteria:[^5]

| Criteria | Tender 2 (May 2025) | Tender 3 (Aug 2025) |
| --- | --- | --- |
| Poor performance disqualification | Explicit clause | Removed entirely |
| Blacklisting clause | "Blacklisted **earlier**" | Changed to "**Currently** blacklisted" |
| CMMI level | Required Level 5 | Dropped to Level 3 |
| Cooling-off period | 2 years | 1 year |
| Hardware ownership | Required | Removed |
| Software ownership | Required | Removed |
| Scanner quality | "Automatic book/robotics scanners" | Diluted to "sufficient scanners" |

The second tender (2025_MHRD_858645_1, issued 2 May 2025) attracted 4 bidders including TCS and Coempt. **All four failed technical evaluation** and the tender was cancelled.

The third tender (2025_MHRD_875046_1, issued 28 Aug 2025) attracted 3 bidders:

- **TCS** — cleared all thresholds by thousands of crores
- **Rankguru Technology Solutions** — 3-year average turnover of ₹117.56 crore
- **Coempt EduTeck** — 3-year average turnover of exactly **₹50.86 crore** — just 1.7% above the ₹50 crore minimum threshold

**Coempt won.**

The first tender (issued 4 Feb 2025) appears to have been **completely erased from the GeM (Government e-Marketplace) portal**. Sarthak scraped all 576 CBSE tenders on GeM and could not locate it. This is itself notable — government tender records are supposed to be publicly retrievable.[^6]

### Competitive Bidders

**Rankguru Technology Solutions Pvt. Ltd.** is the other significant bidder. Tofler financial reports for both companies are archived in our evidence collection. Coempt's financial statements show sales of ₹32.1 Cr (FY2023), ₹52.7 Cr (FY2024), and ₹67.8 Cr (FY2025).

---

## Part 2: The Platform Architecture & Security

### System Overview

The CBSE OSM portal at `cbse.onmark.co.in/cbseevalweb/` is an **Angular single-page application (SPA)**. The entire frontend logic ships in a bundled JavaScript file:

```markdown
https://cbse.onmark.co.in/cbseevalweb/main.dc17c24606b3b008.js
```

The workflow:

1. Physical answer sheets are **scanned at designated centres** (the exact scanning software is not public — likely industrial high-speed scanners with proprietary capture software, not a consumer Android app)
2. Scanned images are **uploaded to the Onmark platform**
3. Evaluators (teachers) **log into the web portal** and are assigned answer scripts for digital marking
4. Marks are submitted through the web interface

### Critical Security Vulnerabilities (Disclosed by Nisarga Adhikary)

**Nisarga Adhikary**, a 19-year-old cybersecurity researcher, discovered and reported five critical vulnerabilities to **CERT-In** (Ref: CERTIn-16590126) in February 2026. After three months without substantive response, he published his findings on 22 May 2026.[^3]

#### Vulnerability 1: Hardcoded Master Password

A literal plaintext password string was embedded in the frontend JavaScript bundle. When entered on the login page, the app **automatically filled the OTP field and bypassed the entire two-factor authentication flow**.

An attacker needed only:

1. A target examiner's **user ID** and **school code** (publicly obtainable)
2. The **master password** from the JS bundle

#### Vulnerability 2: Client-Side OTP Validation

The server **sent the OTP back in the authentication response**. The JavaScript compared what the user typed against the server-sent value — entirely in the browser. The "second factor" was security theatre.

#### Vulnerability 3: No Route Guards

Zero `canActivate` guards on Angular routes. Pages like `/dashboard`, `/evalscriptsview`, `/heallscripts`, `/evaluatordetails`, and `/verificationdashboard` were directly navigable by seeding fake values into `localStorage` and `sessionStorage`.

```javascript
localStorage.setItem('jwtToken', 'dev-token-12345');
sessionStorage.setItem('role_id', '23');
// Navigate to any page
window.location.href = '/cbseevalweb/#/dashboard';
```

#### Vulnerability 4: Password Reset Without Old Password

The `ChangePassword` API payload contained only `ValuatorID` and `pin_NewPassword`. The old password was collected in the UI but **never sent to the server**. Combined with the IDOR vulnerability below, this allowed resetting any examiner's password.

#### Vulnerability 5: Systemic IDOR

Almost every API call identified the user by reading `ValuatorID` from client-side storage (`sessionStorage["eval"]`). The server trusted whatever the client sent instead of deriving identity from the authenticated session. **Practically every POST endpoint** was affected.

**Combined attack chain:** IDOR → impersonate any examiner → ChangePassword without old password → full account takeover → view and alter marks.

#### Additional Finding: SQL Injection

On 27 May 2026, Nisarga discovered a **SQL injection** vulnerability and reported it to CERT-In. The response was a one-line "thank you" email. The portal was taken down shortly after.

### CBSE's Response

CBSE publicly **denied the vulnerabilities existed**, claiming the portal was a "test environment." This claim was contradicted by:

- CBSE's own official emails referencing the same URL (`cbse.onmark.co.in`)
- Production data accessible through the portal
- Nisarga's proof screenshots and screen recordings
- The same master password found in JS bundles of **other** `*.onmark.co.in` **subdomains**, all resolving to the same load balancer[^7]

---

## Part 3: No Android App in the Pipeline

### Search Summary

A comprehensive OSINT search across all major platforms found **zero evidence of any Android application** related to Coempt EduTeck's examination systems:

| Platform | Search Terms | Results |
| --- | --- | --- |
| Google Play Store | coempt, globarena, onmark, oneex, ezytest, digitab | None found |
| APKPure | coempt, globarena, onmark | None found |
| APKMirror | coempt, globarena, onmark | None found |
| VirusTotal | coempt, globarena, onmark | 0 files, 0 comments |
| Koodous | coempt, globarena, onmark | No APKs indexed |

Internal Coempt automation code (see Part 4) uses **Selenium WebDriver + TestNG** for web browser automation with **zero Android SDK or mobile dependencies**. The `file pom.xml` build files reference only web-related libraries (Selenium, TestNG, PDFBox, Apache POI, MongoDB driver, Freemarker).

The scanning step likely uses **industrial high-speed document scanners** (the tender documents reference "automatic book/robotics scanners") — enterprise-grade hardware that processes thousands of sheets per hour, controlled by proprietary Windows software. This is not a consumer Android app workflow.

---

## Part 4: Leaked Internal Code on GitHub

### Coempt Employee Repositories

GitHub user **segrgokul** (profile name: **S.E. Gokul Raj**) — almost certainly a Coempt employee — has published **11 public repositories** containing internal Coempt automation code. These are Selenium/TestNG test suites for Coempt's evaluation platforms.

**Package namespace:** `com.coempt` (confirmed via Maven `file pom.xml`)

**Internal project codenames discovered:**

- **KNR** — Kakatiya University (Warangal, Telangana)
- **NIZAM** — likely Nizam College / Osmania University (Hyderabad)
- **GITA** — likely Gandhi Institute of Technology and Management
- **SCTEVT** — State Council for Technical Education & Vocational Training

This confirms that Coempt's Onmark/OneX platform is deployed across **multiple state-level institutions** in addition to CBSE.

### SBTET Audit Repositories

Two independent security researchers have published audit repositories targeting the **AP SBTET (Andhra Pradesh State Board of Technical Education and Training)** examination system:

| Repo | Author | Commits | Files | Size |
| --- | --- | --- | --- | --- |
| `viswanthp/AP_SBTET_AUDIT` | viswanthp | 1 | 6,951 | 2.1GB |
| `akhi101/SBTET_AUDIT` | akhi101 | 27 | 9,608 | 872MB |
| `akhi101/sbtet_login_audit` | akhi101 | 100 | 12,347 | 2.7GB |

The `viswanthp` repo contains a full **.NET/MVC application** with Controllers, Models, BLL, and Web API configuration — likely a scraped or leaked copy of the SBTET examination portal. The `akhi101` repos contain the **SoftwareSuite** with controllers, login handlers, and connection logs.

**All repositories were live as of 30 May 2026.** Given the growing public scrutiny around Coempt's platforms, there is a significant risk these may be deleted or made private. Full clones have been archived (see repos summary below).

### Student Investigation Repository

**Sarthak-Sidhant/coempt** — Created 29 May 2026. An Astro blog by Class 12 student Sarthak Sidhant with the complete tender analysis. Includes:

- Original RfP documents for Tenders 2 and 3
- Full scrape of 576 CBSE tenders on GeM portal
- Tofler financial reports for Coempt and Rankguru

---

## Part 5: Shared Infrastructure — One Platform, Many Boards

### Evidence of Multi-Board Deployment

The Onmark platform is not exclusive to CBSE. Multiple lines of evidence confirm Coempt's platform operates across Indian examination systems:

1. **Leaked internal repos** reveal project codenames for at least 4 distinct state-level evaluation systems (KNR, NIZAM, GITA, SCTEVT)
2. **Nisarga Adhikary confirmed** the same master password exists in JS bundles of **other** `*.onmark.co.in` **subdomains**, and "every CBSE-related subdomain under onmark resolves to the same load balancer" [^7]
3. **SBTET audit repos** indicate the same Coempt-powered evaluation infrastructure is used by Andhra Pradesh's technical education board
4. **Coempt's own website** lists clients across multiple educational institutions

### Maharashtra State Board — Next in Line?

In May 2026, the **Maharashtra State Board of Secondary and Higher Secondary Education (MSBSHSE)** announced it would pilot **encrypted digital question paper delivery and on-screen answer sheet evaluation** during supplementary examinations. While the vendor has not been publicly confirmed, this follows the same pattern of states adopting OSM systems for board exams.[^8]

---

## Part 6: Timeline

| Date | Event |
| --- | --- |
| Jan 2015 | onmark.co.in registered (Wayback Machine) |
| 2019 | Globarena (now Coempt) fails 3.8 lakh TSBIE students; 23 suicides |
| Feb 2026 | Nisarga Adhikary discovers and reports vulnerabilities to CERT-In |
| 4 Feb 2025 | First CBSE OSM tender issued (later erased from GeM portal) |
| 2 May 2025 | Second tender — all 4 bidders fail technical eval, cancelled |
| 9 Feb 2026 | CBSE circular announcing OSM for Class 12[^9] |
| 13 May 2026 | CBSE Class 12 results released — pass % drops to 85.20% |
| 22 May 2026 | Nisarga publishes vulnerability disclosure blog |
| 25 May 2026 | Nisarga discovers additional SQL injection vulnerability |
| 27 May 2026 | Rahul Gandhi raises issue in Parliament |
| 28 May 2026 | CBSE denies vulnerabilities, claims "test environment" |
| 29 May 2026 | Sarthak Sidhant publishes tender analysis on GitHub |
| 30 May 2026 | Internet Freedom Foundation letter to CERT-In & Ministry of Education |

---

## Evidence Index

All evidence is organized in this collection:

- `/technical-evidence/` — Architecture analysis, vulnerability details, search results across platforms
- `/api-surface/` — Documented API endpoints, routes, and attack surface
- `/repos-summary/` — Summary of all cloned repositories with metadata
- Screenshots and archive artifacts referenced throughout

---

## Deletion Risk Notice

As of 30 May 2026, all GitHub repositories referenced in this investigation are **public and accessible**. However, given the ongoing public scrutiny, there is a material risk that Coempt employees or the security researchers may delete or privatize their repositories. Full git clones (with complete commit history) have been archived locally.

There is **no evidence** that any GitHub repository or Postman collection has been deleted or made private as of this writing. We will update this section if deletions are observed.

---

## Fact-Check Notes

1. **"17 lakh students"** — Correct. CBSE official data: 17,80,365 registered, 17,68,968 appeared, 15,07,109 passed for Class 12 2026.[^1] Some reports reference 18 lakh as a rounded figure for registrations.
2. **"40 crore scanned pages"** — This figure appears in social media commentary but is **not an official CBSE statistic**. It should be attributed as a third-party estimate, not presented as verified data.
3. **"3.8 lakh students failed in Telangana"** — This is widely reported and consistent with the Telangana government committee's findings.[^4]
4. **"23 students died by suicide"** — Widely reported in Telangana media. The exact attribution to the Globarena software failure (as opposed to other factors) is the government committee's assessment.
5. **All media URLs in the Nisarga Adhikary blog** were verified as live on 30 May 2026 (NDTV and Financial Express return HTTP 403 due to bot-blocking, but are not dead links).

---

## Sources

[^1]: NDTV — "CBSE 12th Results 2026" — https://www.ndtv.com/education/cbse-12th-results-2026-out-94-000-students-score-90-per-cent-or-above-pass-percentage-drops-by-3-19-per-cent-11489384
[^2]: Coempt EduTeck website — https://coempt.in
[^3]: Nisarga Adhikary vulnerability disclosure — https://ni5arga.com/blog/posts/hacking-cbse/
[^4]: Hindustan Times — "Telangana firm Coempt Edutech in focus amid CBSE OSM row" — https://www.hindustantimes.com/india-news/telangana-firm-coempt-edutech-in-focus-amid-cbse-osm-row-rahul-gandhi-101779942293536.html
[^5]: Sarthak Sidhant tender analysis — https://github.com/Sarthak-Sidhant/coempt
[^6]: CBSE tenders GeM scrape (gist) — https://gist.githubusercontent.com/Sarthak-Sidhant/97171b383ba5e2848293f77a6fba386e/raw/
[^7]: Nisarga Adhikary tweet on shared onmark subdomains — https://x.com/ni5arga/status/2059522207643312598
[^8]: Instagram/Mumbai Khabar — MSBSHSE OSM pilot announcement (May 2026)
[^9]: CBSE OSM circular — https://www.cbse.gov.in/cbsenew/documents/OSM_Class%20XII_09022026.pdf