Sai Krishna Kothapalli

Here is the complete information about the CBSE RCE incident from 29 May 2026. I found it and fully owned the server in just 3-4 hours. I’ll break down exactly what happened, in plain language anyone can follow. The same issues were present on the MRVV OnMark portal too. The CBSE OSM portal, where evaluators check answer sheets and upload marks, had a serious flaw on the login page. It accepted the username and password in JSON format but pasted the password straight into a dynamic SQL query with no safe handling or parameterization. I sent a simple timing test that made the database pause for 10 seconds, proving stacked queries were possible. Within minutes I had full database access on the backend Microsoft SQL Server 2019 running on Windows/IIS, with dbo privileges and visibility across hundreds of tables. Directory listing was enabled on the /bin/ folder, so I could download the compiled .NET DLLs. Decompiling them revealed hardcoded SA database credentials that were reused across CBSE production servers, other Onmark portals, and the MRVV OnMark portal. This reuse across shared components made it a supply chain attack - one weak framework affected multiple education boards, made worse by database replication. With SA-level database access I used native SQL Server tools to write a custom webshell straight into the webroot. That gave me immediate arbitrary OS command execution and full file system operations under the IIS application pool identity. From there, the overly permissive app pool account let me escalate in one move to NT AUTHORITY\SYSTEM (full Windows server control) by creating and running an elevated scheduled task. Complete server ownership in a few hours: I could read, write, or execute anything. Millions of records were exposed, including student marks, answer scripts, and evaluator personal and banking details. I took or kept no data, reported everything to CERT-In and removed access by May 29. Root causes were straightforward: direct SQL concatenation, hardcoded credentials in assemblies, directory browsing left on, over-privileged IIS pool, and no real auditing of shared codebases. It wasnt a hard job to get into other OnMark portals because all of them were sharing the exact same vulnerabilities. This is exactly why this became one of the biggest supply chain attacks in recent education tech one weak shared framework compromised multiple boards at once, with database replication making the impact even larger. Fixes are basic but essential: use parameterized queries everywhere, store secrets properly in vaults without hardcoding or reuse, turn off directory listing and risky SQL features, apply least privilege, and run regular security reviews on shared platforms. This shows how quickly a short chain of basic mistakes can lead to full compromise in critical education systems, putting data of lakhs of students at risk. #CBSE #OSM #RCE #ONMARK

The Delhi High Court just ruled against Google in a trademark case that every Indian founder needs to know about!! Hindware sued because searches for "Hindware" returned competitor ads - Cera, Grohe, above their own listing. Customers looking specifically for Hindware were being intercepted at the moment of highest intent. The court ruled it trademark infringement. Competitor keyword bidding on your brand name is now legally actionable in India. Search your brand name on Google right now. If a competitor's ad appears before yours, you have a case, and your competitor has a problem. This reshapes performance marketing in India. Keyword bidding on competitor names is standard practice across every category - beauty, fintech, edtech, D2C. The brands doing it most aggressively are also the ones most exposed to this ruling. Let's see how this pans out.

I once criticized CERT-In on LinkedIn and got calls from terrified employers (past & then present) asking me to remove it. I said no and proceeded to change all my employment history to ‘Confidential’ to ease their worries. The reason they panic is because they don’t want to lose their “CERT-In Empanelment”. CERT-In Empanelment is one of the biggest scams in the Indian cyber security industry. CERT-In makes you go through several stages of tests (all worthless btw) and then “certifies” you as an empaneled auditing firm. This status then allows you to bid on government contracts for cyber security projects along with enabling you to serve compliance customers under regulatory bodies. If, for whatever reason, CERT-In decides to revoke this empanelment, the firm would lose majority of its business. That’s how CERT-In keeps all the major cyber security firms in India under their thumb.

Time Dilation kind of makes the whole “datacenters in space” idea more fun. Technically…something like a GPS Block III CPU runs an extra ~7,000 clock cycles per day compared to the same machine on earth. Extend this to the extreme, and you get the whole subfield of CS+physics called relativistic hypercompuation. There’s some (fun?) papers that allow you to solve the halting problem by placing yourself dangerously close to a black hole…while your computer safely computes for ~infinite-ish amounts of time. One of the better papers on this field appears to be: "Relativistic computers and the Turing barrier" (Németi & Dávid 2006) (sadly, the maximum speedup just escaping earths gravity well is something like 1 x 10 ^ (-10), so yeah the blackhole thing is kinda necessary)