Hardening and mitigation

Patch is the primary mitigation: upgrade to PHP 8.2.31, 8.3.31, 8.4.21 or 8.5.6 (all released 2026-05-07). Inventory PHP versions across web-facing infrastructure, including container base images that may have pinned older PHP minors.
If patching is delayed: disable the SOAP extension where unused — phpdismod soap (Debian/Ubuntu), remove extension=soap from php.ini (RHEL family), or rebuild custom Docker images without the extension. Restart PHP-FPM after the change.
Where SOAP must remain available: front the SoapServer endpoint with a WAF rule blocking duplicate-key apache:Map patterns and unusually deep XML nesting, restrict the endpoint to known consumer IP ranges via firewall, and require mutual-TLS for the SOAP endpoint where the integration partner supports it.
Defence-in-depth: PHP-FPM workers should run with the minimum filesystem privileges needed; open_basedir restrictions; disable_functions should include exec, system, shell_exec, passthru, proc_open, popen; SELinux or AppArmor confinement of the PHP worker process limits the blast radius of any successful RCE.
Audit your SoapServer instantiations: grep -rn 'new SoapServer' /var/www/ to enumerate every endpoint; document which are exposed publicly versus internally; remove or restrict the publicly-exposed ones unless business-justified.