There is a specification that escapeshellcmd() doesn't escape when single quotes or double quotes are paired.
This behavior allows attackers to pass arbitrary number of arguments. You must apply escapeshellarg() for each argument instead.
<?php
$filename = 'test.php" "/etc/passwd';
$cmd = "ls \"$filename\"";
$cmd = escapeshellcmd($cmd); // EscapeShellArg: This function allows attackers to pass arbitrary number of arguments.
system($cmd);<?php
$filename = 'test.php" "/etc/passwd';
$filename = escapeshellarg($filename); // OK!
$cmd = "ls $filename";
system($cmd);