"CMD.EXE has complicated parsing rules for the Command Arguments ... it’s possible to Inject Commands if someone can control the part of command arguments of the batch file"

https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/