News

For most Grade 12 CBSE students in Dubai, the final stretch of the academic year is consumed by board exam preparation, university applications and the wait for results. For Rylen Anil, a 16-year-old Class 12 student in the city, it has also involved finding, reporting and helping to fix serious security weaknesses in three of India's most consequential education platforms. His story has now made headlines in both Indian and UAE media, and offers UAE parents and students a striking example of what responsible, curiosity-led learning in technology can look like.

The discovery that went viral overnight

Rylen's story starts in a way most students will recognise: a quiet evening, a laptop, and curiosity. After hearing about a separate security breach involving a CBSE educational portal, he turned his attention to two of the biggest exam systems in India: the JEE Advanced portal, the gateway to the IITs, and the NEET portal, the gateway to medical college admissions for millions of Indian students.

In just three to four hours, he was inside both. He then did what ethical hackers are supposed to do. He reported the vulnerabilities to CERT-In, India's national cybersecurity response team, and posted publicly about what he had found on X.

He did not tell his parents. He went to school the next morning as usual. By the time the school day ended, the story had exploded across Indian media, with headlines along the lines of "16-year-old hacks into NTA website." Rylen's mother saw the coverage before she heard from him.

The first reaction at home, he later told Khaleej Times, was less proud than concerned. He recalled his parents asking if he was going to jail, having seen the first headline. Once he explained what he had actually done, and how, the worry turned to support. His father, who comes from a tech background, understood the difference between responsible disclosure and a malicious attack.

What the flaws actually were

The Gulf News interview lays out the technical findings in more detail. The two vulnerabilities were quite different from each other, but both put sensitive student information at risk.

For JEE Advanced 2026, the problem was a misconfiguration in publicly accessible cloud storage. The result was that 179,600 result records and 187,300 admit-card PDFs containing candidate names, dates of birth and mobile numbers were exposed without authentication. According to Rylen, all of the result details and admit cards had been stored on one server that had been misconfigured at the level of how it was set up, which is what allowed him to access the data.

The NEET portal failure was different. Here the issue was extremely weak credentials on the super-admin portal. By bypassing those controls, Rylen could view not just student information but parent data as well, including phone numbers and other personal details.

The third discovery, made together with a fellow ethical hacker named Nisarga, sat inside the CBSE's own infrastructure: the OnMark evaluation portal, part of the board's On-Screen Marking system used to mark Class 12 board exam papers. Initial access was through guessable credentials, but once inside, the pair found that evaluator emails, usernames, passwords, phone numbers, institution details and subject assignments were all exposed. From those evaluator accounts, scanned answer scripts and the live marking interface were also reachable. The vulnerability was reported to CERT-In, and the portal has since been fixed and taken offline.

Rylen was careful in how he handled the data itself. Personal details and photographs were redacted in his public posts, and only a small number of files were downloaded for verification purposes and then deleted. No JEE candidate data was leaked in full as a result of his work.

The official response

The reaction from Indian authorities was swift and, by Rylen's own account, appreciative. The Director General of the National Testing Agency, Abhishek Singh, personally contacted him to thank him for identifying the vulnerabilities and bringing them to the agency's attention. IT staff from the IITs and the NTA followed up to request further technical detail and to act on the issues.

IIT Roorkee posted an official statement on X acknowledging the misconfiguration and Rylen's role in surfacing it, explaining that the issue had been rectified and access to the data restricted. Other IITs issued similar statements, framing the brief misconfiguration as a side-effect of emergency technical fixes made to help candidates who could not access their admit cards.

Rylen's own assessment of the response is positive but measured. The willingness to listen and resolve quickly, he said, matters as much as the speed of the technical fix.

What this signals about young ethical hackers

Rylen is part of a small but growing network of young ethical hackers in India who have been scrutinising the country's education technology infrastructure. Peers such as Nisarga and Sarthak Sidhant, both teenagers, have been similarly active. In a notable development, Sarthak Sidhant, 17, appeared before a Parliamentary Standing Committee in India to present findings on alleged irregularities in the CBSE's tendering process for its On-Screen Marking system.

For Rylen, that appearance signals that the work being done by this generation of young researchers is being taken seriously at the highest levels.

His broader argument is one that experienced cybersecurity professionals will recognise. Major corporations such as Google, Microsoft, Amazon and Meta employ ethical hackers to proactively find vulnerabilities in their platforms. He believes governments handling vast amounts of sensitive citizen data, including in education, should do the same, finding flaws before malicious actors do.

He also raised a warning that is worth taking seriously. Some of these portals, he suggested, may still contain vulnerabilities that have not yet been found, and if bad actors find them first, the consequences could be serious.

A passion that started with gaming

Rylen's interest in technology did not begin with security research. It began with gaming, and with the kind of casual computer exploration that any parent reading this has probably seen in their own household.

Since Grade 8, he has been exploring computer systems and programming. Along the way, he picked up cybersecurity skills and got comfortable with Linux. Those interests came together in what he achieved here. Far from viewing gaming as a distraction from learning, he credits it with sparking his interest in technology in the first place.

His message to other students reflects that. Continue playing games, he said, and use that natural interest in computers as a starting point. The skills that build up around that curiosity can, eventually, lead to doing something significant in the world.

He also credits his teachers for steering him in the right direction once he expressed his passion, motivating him to enter competitions and giving him opportunities throughout his journey. It is a useful reminder for parents that early support from a school can shape where a child's interests lead by the time they reach Grade 12.

What comes next

Rylen plans to study cybersecurity at university, ideally in the United States, and aims one day to become the chief information security officer of a major company. Given where he already is at 16, the trajectory is not hard to imagine.

For UAE families, the story is worth flagging for two reasons. First, it is a genuinely impressive moment for a Dubai-based CBSE student, and one worth celebrating in a school year that has otherwise been dominated by exam disruption headlines. Second, it offers a useful conversation to have at home. The same curiosity that leads a child to spend hours inside a video game or a piece of code can, with the right support and the right ethics, lead to work that protects millions of other students.

For the CBSE student community in particular [internal link: your CBSE Class 12 results article if you have one], it lands at exactly the moment when the limits and vulnerabilities of digital exam infrastructure are a live conversation. Rylen's story is a reminder that the people best placed to push for stronger systems are often the ones using them.

Sources:

Khaleej Times, "'Are you going to jail?': Dubai teen who exposed India's NEET, JEE flaws recalls parents' shock" by Nandini Sircar (June 4, 2026). https://www.khaleejtimes.com/uae/education/dubai-student-exposes-security-flaws-india-neet-jee-exam 

Gulf News, "The 16-year-old in Dubai who exposed India's most critical exam portals and reported what he found" by Zainab Husain (June 5, 2026). https://gulfnews.com/uae/education/the-16-year-old-in-dubai-who-exposed-indias-most-critical-exam-portals-and-reported-what-he-found-1.500564493