Edit: so yeah, further reading into this and some video later from LowLevel confirmed that this is quite nothing burger. The “vulnerability” is an undocumented HCI command. Host to Controller Interface. Meaning that it is something the HOST (the ESP) dispatch to the Bluetooth Interface. To take advantage of such a command, you need to already have access to the ESP32 in the first place.

So, the tl;dr is that the “vulnerability” only matters when the attacker has access to the device already. Not really that big of an issue. an attacker can gain access to the ESP32 not the device that connects to the ESP themselves. I don’t know how bluetooth pairing would behave when the device that once masquerade as a light switch now advertises themselves as smart watch. I presume it would require further confirmation from the user. If that is the case, then the danger is when ESP32 is used in a device that is already collecting sensitive information with an active bluetooth stack since that device can now be remotely hacked. But I will defer my judgement on this matter after the PoC has been demonstrated (can’t find any demo of any proof of concept attack, just the same article copy pasted multiple times on different site)