[Sysosmaster]

This is only present in the CLI builds of php, And you should limit who can run the php scripts anyway on a production server.

Remember that setting up a reverse shell only requires a networkable shell (like bash). Most linuxes (including containers) there for have the capability of having reverse shells started on them. The way to protect abuse of PHP’s webserver function is the same as the one to protect against bash reverse shells. Do not allow any outbound traffic but only traffic you trust!

Do not blame php for having a feature that others have had for years. PHP’s version is no better or worse than any of them.