Specifically, as Lenovo said in an advisory notice, the auto-update feature in its Accelerator Application software can be exploited by a “man-in-the-middle attack”—someone could get in between the computer and the server pushing out the updated software, fooling the computer into installing a fake version of the update instead of the genuine article.

Such attacks can allow anything from surreptitious malware installation to the insertion of surveillance capabilities, or even the hijacking of PCs.

Get Data Sheet, Fortune’s technology newsletter.

The Lenovo Accelerator Application, which is supposed to make Lenovo’s preinstalled apps run faster, is found on many recent PCs that came with Windows 10, but not ThinkPad or ThinkStation machines.

Lenovo is the same manufacturer that preinstalled vulnerable ad-serving software called Superfish on its consumer laptops over a year ago. Then, late last year, it needed to tell customers to uninstall its “Solution Center” software because of a vulnerability.

Those episodes dented its reputation, and this latest case of vulnerable “bloatware” won’t help either.

For more on the Superfish scandal, watch our video.

The manufacturer was one of many found by researchers at Duo Labs to have preinstalled insecure software on their computers. Duo Labs’ report came out a couple days ago, also pointing fingers at Dell, Asus (ASUUY), Acer (ASIYF) and Hewlett-Packard (HPE)—in short, every vendor whose machines the researchers tested.

https://twitter.com/jonoberheide/status/737728680676462592

“Lenovo recommends customers uninstall Lenovo Accelerator Application by going to the ‘Apps and Features’ application in Windows 10, selecting Lenovo Accelerator Application and clicking on ‘Uninstall’,” Lenovo said in its advisory note—a document worth checking, as it includes a list of all affected models.

This article was updated to correct incorrect assertion that Duo Labs is Dutch.