Lenovo has urged users to uninstall bloatware bundled on Windows 10 devices by the company after critical security holes were discovered. 

The Chinese PC maker said in a security advisory a vulnerability within the company's Lenovo Accelerator Application software is a "high severity" problem which could give attackers the avenue to launch man-in-the-middle attacks against users. MITM attacks occur when a vulnerable machine has been infected with malware which contains surveillance capabilities or a vulnerable web browser is communicating with an insecure server. This type of attack may not show visible signs.

A security researcher has discovered a number of vulnerabilities in Lenovo’s SHAREit app, the worst being the use of “12345678” as a hard-coded, default password. The problems have been patched in the software’s latest release.

SHAREit is an app found on many of Lenovo’s products to allow users to share files across devices. Some ThinkPad, and IdeaPad computers, along with Lenovo smartphones, were impacted by the bug. Core Security found four vulnerabilities in the app but the password issues stick out the most. In one of its advisories, Core Security found that when the app is receiving files, it sets a password on a Wi-Fi hotspot.

A trifecta of vulnerabilities has been found in software preinstalled on a number of Dell, Toshiba, and Lenovo consumer and enterprise PCs and tablets, affecting millions of users.

A proof-of-concept that was posted online could allow an attacker to run malware at the system level, regardless of what kind of user is logged in. A user can be tricked into opening a specially-crafted web page, either as a drive-by download or through an email attachment, which could allow an attacker to exploit the flaw. The security researcher confirmed that he did not inform Dell, Toshiba, and Lenovo of the flaws before the the proof-of-concept code was posted online.