That’s a CH340G, it has an in-built 3.3V regulator. But there is no external regulator on the board.

Maybe the chip is running off its internal 3.3V, but the board designers put a tie-up resistor on one of its pins to 5V, which results in the weird 3.9V. Dunno. Try attaching a 1K resistor between that pin a GND, see if that makes the problem disappear.

The 5.3V is from your computer, that’s not the fault of the USB UART.

3.2V is perfectly acceptable for a 3.3V rail.

The 3.9V is a bit weird. Can you post a photo of your USB UART board? Maybe the main chip has an inbuilt 3.3V regulator separate to the external one.

Welcome to security news theatre :(

I don’t think espressif would bother suing, these kind of misshapen claims get constantly made against popular projects all of the time. It’s just unusual to see so much coverage about this particular one.

Bleepingcomputer’s title and article are very misleading, the presentation did NOT reveal a backdoor into an ESP32. It looks like Bleepingcomputer completely misunderstood what was presented (EDIT: and tarlogic isn’t helping with the first sentence on their site).

Instead the presentation was about using an ESP32 as a tool to attack other devices. Additionally they discovered some undocumented commands that you can send from the ESP32 processor to the ESP32 radio peripheral that let you take control of it and potentially send some extra forms of traffic that could be useful. They did NOT present anything about the ESP32 bluetooth radio being externally attackable.

Another perspective that might help: imagine you have a cheap bluetooth chipset that is open source and well documented. That would give you more than what the presentation just found. Would Bleepingcomputer then be reporting it’s a backdoor threatening millions of devices?