TL;DR: PHP support windows end in stages, and once a version reaches EOL it moves outside formal support, leaving vulnerable systems exposed to unpatched flaws, compatibility breaks, and operational disruption, according to Cybertrust Japan. For identity and security teams, software lifecycle management is part of resilience, because outdated runtimes often sit beneath the credentials, sessions, and admin tooling that attackers target.
NHIMG editorial — based on content published by Cybertrust Japan: support ended is not just for OS. Are you aware of software EOL too?
Questions worth separating out
Q: What breaks when a PHP application stays on an unsupported version?
A: The main failure is not immediate outage but loss of security assurance.
Q: Why does PQC planning matter to IAM and PAM teams?
A: Because authentication, privileged access, and workload trust all depend on cryptographic primitives that may need post-quantum replacement.
Q: How do security teams decide whether to keep an old runtime temporarily?
A: Teams should only keep it with a documented exception, a named owner, compensating controls, and a migration deadline.
Practitioner guidance
- Map every supported and unsupported runtime Build a software inventory that records PHP version, host OS, framework dependencies, and support status for every application.
- Set migration deadlines before support expires Assign a retirement date to each unsupported PHP version and tie it to a business owner, an engineering owner, and an approved exception path.
- Refresh identity-adjacent web tiers first Prioritise the PHP systems that handle authentication, admin access, session management, and customer or partner portals.
What's in the full article
Cybertrust Japan's full blog covers the operational detail this post intentionally leaves for the source:
- Version-by-version support timelines for PHP and the transition points that change risk.
- Practical guidance for upgrading PHP alongside operating system refresh cycles.
- Extended lifecycle support options for environments that cannot migrate immediately.
- Examples of how older PHP stacks affect application compatibility and maintenance planning.
👉 Read Cybertrust Japan's analysis of PHP end of life risk and extended support →
Software EOL risk: what practitioners need to do now?
Explore further
Software lifecycle debt is a security control failure, not a housekeeping issue. When runtime support ends, the organisation is no longer operating with a manageable patch posture, it is operating with an explicit exception. That exception often sits beneath web applications that authenticate users, manage sessions, and call downstream services, so the blast radius extends beyond one package. The practical conclusion is that lifecycle enforcement belongs in security governance, not just in development planning.
A question worth separating out:
Q: Who is accountable when unsupported software causes a breach?
A: Accountability should sit with the business owner of the service, the technical owner of the platform, and the security function that enforces lifecycle controls. For regulated environments, auditors and risk teams will expect evidence that end-of-life decisions were tracked, approved, and acted on before exposure became incident response.
👉 Read our full editorial: PHP EOL and software support gaps are a business security risk