Vulnerability in older versions of Identity Agent

We have identified there is a medium-severity service vulnerability with all previous versions of the NHS Identity Agent, including v2.4.5.0 and v2.4.6.0.

Organisations are required to move to v2.4.10.0 as soon as possible, within your regular patching schedule, and no later than 12 October 2025. All previous versions of the Identity Agent client are retired with immediate effect.

Download and install the latest version of Identity Agent.

When does this update have to be completed by?

As soon as possible, within your regular patching schedule, and no later than 12 October 2025. All previous versions of Identity Agent have been retired.

Can I overwrite previous versions of the Identity Agent with v2.4.10.0?

We strongly recommend that you uninstall any previous versions of NHS Identity Agent before beginning any new installation. No other programs are removed as part of this process.

We don’t have this issue in our organisation - do we need to update?

Yes - all previous versions of the NHS Identity Agent are now retired.

Is Oberthur middleware required?

Yes, Oberthur middleware is required on all machines that use a smartcard for authentication. Machines that use a smartcard for authentication without Oberthur middleware are unsupported and operating at risk.

Can I remove Gemalto middleware?

No, Gemalto middleware does not need to be removed from machines.

Are non smartcard authenticators or NHS Smartcard Connect impacted?

No, non smartcard authenticators and NHS Smartcard Connect are not impacted by this.

What versions of Credential Management are supported?

See all currently supported versions.