Siemens Desigo PX is a building automation control system from Siemens, a German company. The information disclosure vulnerability in several Siemens products stems from the fact that the endpoint of the “Operation” web application that interprets and executes Axon language queries allows file read access to the device file system with root privileges, which can be exploited by a remote attacker with low privileges to read sensitive files on the device by providing specific I/O-related Axon queries to read sensitive files on the device.