Blog
November 18, 2024
PHP 7.4 reached end of life (EOL) on November 28, 2022.
If your team is still running applications using PHP 7.4, then pursuing options to keep apps secure, compliant, and supported is critical. Migrating to a supported PHP version or establishing long-term support through a third party is essential to maintain application security.
To assist you as you build your upgrade plan, this blog answers frequently asked questions about PHP 7.4 end of life, walks through what PHP 7.4 EOL means for your application security, explores the consequences of continuing to use unsupported PHP, and discusses how to find the best migration or upgrade path for your team.
Get Support for PHP 7.4 EOL
Zend Long Term Support keeps your apps secure through 2026 with patched PHP 7.4 builds. Upgrade on your schedule, maintain compliance standards, and access 24/7/365 support.
PHP 7.4 EOL: Frequently Asked Questions
When Is the PHP 7.4 End of Life Date?
PHP 7.4 reached end of life on November 28, 2022.
How Long Will PHP 7.4 Be Supported?
PHP 7.4 is no longer supported by the community. However, through Zend PHP LTS services, PHP 7.4 can be supported through 2026.
How Many Teams Are Still Using PHP 7.4 EOL?
According to the 2025 PHP Landscape Report, 35.68% of PHP teams are still using PHP 7.4 in their applications.
However, using PHP 7.4 EOL and without support exposes mission-critical applications to serious security risks. Teams deploying PHP 7.4 EOL should make a support or upgrade plan as soon as possible.
Is PHP 7.4 Safe?
PHP 7.4, when used unsupported, is no longer secure. However, by working with a third party LTS provider like Zend, you can secure your PHP applications through 2026.
Should I Update PHP 7.4 to 8?
Yes, you should update PHP 7.4 to 8 or a different supported PHP version.
For more information on planning an update from PHP 7.4 to 8 or another supported PHP version, visit our in-depth guide, Setting Your PHP 7.4 Migration Strategy.
Is PHP 7 Outdated?
Yes, PHP 7 and all PHP 7.X versions are outdated, as PHP 7.4 was the last version of PHP 7.
Plan a migration or upgrade to a supported PHP version as soon as possible to keep applications secure, compliant, and performant.
Back to topOn-Demand Webinar: Are You Ready for PHP 7.4 EOL?
Join me for an on-demand discussion surrounding the impacts of PHP 7.4 EOL and exploring upgrade and migration solutions to keep your applications secure.
PHP 7.4 Vulnerabilities and Security Risks
After security support from the community ends, PHP versions enter end of life. This means that they do not receive security patches, bug fixes, or other updates from the community. As bugs and vulnerabilities accumulate, teams using end of life PHP versions expose their applications to compounding risks.
This is the case for PHP 7.4.
Known PHP 7.4 Security Vulnerabilities
As noted above, the accumulation of unpatched vulnerabilities adds an increasing amount of security risk to the application. If left unmitigated, these vulnerabilities can and will be exploited. Additionally, the longer a PHP version is EOL, the more Common Vulnerabilities and Exposures (CVEs) will be identified.
For instance, in 2024 alone, several PHP 7.4 vulnerabilities have been discovered.
CVE | Severity | Type | Subject | Date | Affected PHP Versions |
| CVE-2024-1874 | Critical | Remote Code Execution | Command injection via array-ish $command parameter of proc_open even if`bypass_shell option enabled on Windows | 2024-02-25 | 7.4.0 - 7.4.33 |
| CVE-2024-4577 | Critical | Remote Code Execution | php: Argument Injection in PHP-CGI | 2024-06-07
| 7.4.0-7.4.33 |
| CVE-2024-2408 | Moderate | Information Disclosure | php: potential exposure to Marvin attack via unsafe implementation of RSA decryption API | 2024-06-07 | 7.4.0-7.4.33 |
| CVE-2024-8926 | High | Remote Code Execution | php: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass) | 2024-10-07 | 7.4.0-7.4.33 |
| CVE-2024-8927 | High | Remote Code Execution | php: cgi.force_redirect configuration is bypassable due to the environment variable collision | 2024-10-07 | 7.4.0-7.4.33 |
| CVE-2024-8925 | Moderate | Cross-Site Request Forgery | php: Erroneous parsing of multipart form data | 2024-10-07 | 7.4.0-7.4.33 |
This list is non-exhaustive, and it represents only a snapshot of ongoing PHP 7.4 vulnerabilities now that PHP 7.4 end of life has occurred. If applications using PHP 7.4 EOL do not upgrade to a supported version, or if they continue to use PHP 7.4 EOL without third-party long term support, they will be left vulnerable to these and yet-to-be identified PHP 7.4 security vulnerabilities.
Back to topStay Up to Date on the Latest PHP 7.4 Vulnerabilities
The Zend Security Center is designed to help developers identify and mitigate PHP vulnerabilities before they become problems, keeping your PHP application secure and compliant.
What Does PHP 7.4 EOL Mean?
Most teams are well acquainted with the consequences of unsupported end of life technologies. Every year, new vulnerabilities are discovered within unsupported technologies – with high-profile exploits of these vulnerabilities making their way to front pages around the world.
But security isn’t the only consequence of unsupported PHP 7.4 applications. Teams working with EOL PHP versions also expose their applications to decreased performance, reduced application stability, and the lost-opportunity cost of maintaining an EOL PHP version, like PHP 7.4, when they could be helping to further the goals of the business.
Performance
One of the often overlooked aspects of using PHP 7.4 end of life is performance. New versions of PHP regularly add new features and improvements to the language that can reduce development, hosting, or hardware costs for the application. While this might seem like a lesser consideration, these costs can add up quickly – especially when deploying a large number of PHP applications, or applications that receive large amounts of traffic.
Application Stability
If applications aren’t regularly updated to new technology versions, there can be a growing risk of application downtime. As an example, an application running an EOL PHP version might be using a library that has since been deprecated. A bug within that library could cause the application to crash. Now imagine enterprise applications with dozens of un-updated libraries, or libraries that have been updated and cause issues with the EOL PHP application.
Opportunity Costs
Lastly, there’s the danger of lost opportunity cost. Running an EOL PHP version means spending time on things like building or backporting patches for security issues and bugs. For supported PHP versions, this isn't an issue, and allows teams to better focus on improving the security, performance, or functionality of your application.
Backporting bug fixes and security patches isn't the only time-consuming aspect of maintaining an EOL PHP application, either. Profiling and improving performance on an application running on an EOL PHP version can be time intensive. But even the best performance improvements on that application can be overshadowed by the performance improvements gained by migrating to a new PHP version. That's not to mention new language features in newer versions that can solve a variety of problems for businesses.
The takeaway from this is that there are a number of hidden costs of running EOL PHP applications that can directly or indirectly impact the health of your application and business, and the time committed to things like backporting patches can lead to lost opportunities for improving your application and business.
Back to topPHP 7.4 EOL Support Options
To avoid the risks associated with unsupported PHP 7.4 EOL versions, teams need to regularly plan and execute PHP upgrades and migrations. PHP 7.4 EOL is no exception.
Upgrading Your Applications After PHP 7.4 EOL
For teams with a limited number of applications or less complex codebases, upgrading or migrating from PHP 7.4, such as migrating to PHP 8.2, may be straightforward – depending on the changes between the origin and destination versions. For others, planning migrations for many applications (or particularly complex applications), can be a much more time-intensive exercise.
One thing to keep in mind for teams tasked with migrating PHP 7.4 is that this is the final PHP 7 minor release, meaning that there is no guarantee that the destination PHP version will be backwards compatible. More often than not, these major versions are only released when changes there are breaking changes to existing APIs that are exposed to consumers.
For teams planning PHP migrations or upgrades, having a consistently audited and profiled set of applications is key to understanding the impact of these major version upgrades on your code base, the scope of a given migration for your team, and the potential impact to the overarching business.
Self-Support
Self-support is another option for teams working with EOL PHP 7.4 applications. However, teams that choose this route need to understand the impact this can have on their business. As noted above, developers who are busy developing patches for CVEs are developers who aren’t working on developing new applications, improving existing applications, or working on all the things that will make the next migration easier. While self-support may be a valid option for larger enterprises with resources dedicated to developing patches and fixes in house, it’s not a cost-effective option for 99% of companies.
Finding Long-Term Support
For teams that, for one reason or another, can’t migrate before PHP end of life hits, finding a reliable source of security patches is key to maintaining the stability and security of their given PHP applications. Luckily, there are third-party options for PHP long-term support that can help teams to keep their EOL PHP applications supported, such as Zend PHP LTS.
PHP 7.4 EOL Timeline With Zend PHP LTS
| PHP Version | Release Date | Active Support End Date | End of Life / Security Support End Date | Zend PHP 7.4 LTS End Date |
| 7.4 | November 28, 2019 | November 28, 2021 | November 28, 2022 | December 2026 |
Zend PHP LTS options are built to support your applications, offering two years of additional security support after community support ends, as with PHP 7.4. We help you to upgrade on your schedule while saving you money on refactoring, ensuring your application maintains compliance, and offering full support services.
Final Thoughts
Migrating or upgrading your EOL PHP is crucial to avoiding organizational risk – and PHP 7.4 is no different. As you and your team build your migration and upgrade strategy, make sure to contact Zend. Our PHP experts are at your disposal, and we're ready to help you make the move from PHP 7.4 to supported versions quickly, easily, and with minimal delay.
Secure Your PHP Applications With LTS and Migration Services
Ready to plan your migration and support strategy for PHP 7.4 applications? Zend is here to help. Check out our LTS options, and explore our migration services.
Additional Resources
- Services - Zend Black Belt PHP Support Services
- 101 Guide - PHP Security
- White Paper - The Hidden Costs of PHP Upgrades
- White Paper - Planning Your Next PHP Migration
- Case Study - mittwald Managed Hosting Customers Stay Secure With PHP LTS
- Case Study - Bark.com Modernizes Mission-Critical PHP Application
- Blog - Ubuntu 20.04 PHP Support After EOL: Are You Ready?
- Blog - How to Assess and Prevent PHP Vulnerabilities
- Blog - How to Upgrade PHP
- Blog - PHP Migrations: When Is Migrating the Right Choice?