Espressif has also put out a response to cover this: Espressif’s Response to Claimed Backdoor and Undocumented Commands in ESP32 Bluetooth Stack | Espressif Systems
Highlights:
No Remote Access: They cannot be triggered by Bluetooth, radio signals, or over the Internet, meaning they do not pose a risk of remote compromise of ESP32 devices.
Security Impact: While these debug commands exist, they cannot, by themselves, pose a security risk to ESP32 chips. Espressif will still provide a software fix to remove these undocumented commands.
Scope: If ESP32 is used in a standalone application and not connected to a host chip that runs a BLE host, the aforementioned HCI commands are not exposed and there is no security threat.
Along with some other notes about which devices are affected, their bug bounty program, their continued commitment etc. that you can read at the link.
Edit: Typo