Siemens Desigo PX is a building automation control system from Siemens (Germany). Multiple Siemens products are vulnerable to operating system command injection. The vulnerability stems from the presence of incorrect neutralization of special elements used in O commands with root privileges during restore operations, which can be exploited by a remote attacker with low privileges to execute arbitrary system commands with root privileges on the device by restoring a specially crafted package.