The researchers said no pre-2009 HP printers have built-in security and will automatically accept any firmware update from any source, according to reports.
Initial reports by MSNBC said hackers could even set printers ablaze remotely, but HP has since issued a statement to refute the claim.
However, HP said it is “building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted”.
Until a firmware upgrade is available, HP recommends customers follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling the remote firmware upload option on exposed printers.
HP also highlighted the fact that all of its printers from 2009 onwards include digital signing to prevent this type of exploit, but the researchers said that still leaves tens of millions of devices vulnerable.
The security flaw on the pre-2009 machines allows hackers to send customized firmware to a printer that could enable them to render a user's printer useless, waste toner or overheat the device.
The researchers warned that once a printer is compromised, any update from HP will be useless, and said the same flaw could affect other printer makers although this is yet to be tested.
This story was first published by Computer Weekly