diff --git a/components/wpa_supplicant/src/common/scan.c b/components/wpa_supplicant/src/common/scan.c
index 7625de274f..46dab15be1 100644
--- a/components/wpa_supplicant/src/common/scan.c
+++ b/components/wpa_supplicant/src/common/scan.c
@@ -38,6 +38,10 @@ void wpa_supplicant_req_scan(struct wpa_supplicant *wpa_s, int sec, int usec)
 	}
 	params = os_zalloc(sizeof(*params));
 
+	if (!params) {
+		wpa_printf(MSG_ERROR, "Memory allocation failed");
+		return;
+	}
 	if (wpa_s->wnm_mode) {
 		/* Use the same memory */
 		params->ssids[0].ssid = wpa_s->current_bss->ssid;
diff --git a/components/wpa_supplicant/src/common/wnm_sta.c b/components/wpa_supplicant/src/common/wnm_sta.c
index 84c25c8fe3..284712f8b0 100644
--- a/components/wpa_supplicant/src/common/wnm_sta.c
+++ b/components/wpa_supplicant/src/common/wnm_sta.c
@@ -470,15 +470,15 @@ static void wnm_send_bss_transition_mgmt_resp(
 	struct wpabuf *buf;
 	int res;
 
-	wpa_printf(MSG_DEBUG,
-		   "WNM: Send BSS Transition Management Response to " MACSTR
-		   " dialog_token=%u status=%u reason=%u delay=%d",
-		   MAC2STR(wpa_s->current_bss->bssid), dialog_token, status, reason, delay);
 	if (!wpa_s->current_bss) {
 		wpa_printf(MSG_DEBUG,
 			   "WNM: Current BSS not known - drop response");
 		return;
 	}
+	wpa_printf(MSG_DEBUG,
+		   "WNM: Send BSS Transition Management Response to " MACSTR
+		   " dialog_token=%u status=%u reason=%u delay=%d",
+		   MAC2STR(wpa_s->current_bss->bssid), dialog_token, status, reason, delay);
 
 	buf = wpabuf_alloc(BTM_RESP_MIN_SIZE);
 	if (!buf) {
@@ -653,7 +653,7 @@ static void wnm_dump_cand_list(struct wpa_supplicant *wpa_s)
 static void wnm_set_scan_freqs(struct wpa_supplicant *wpa_s)
 {
 	unsigned int i;
-	int num_chan;
+	int num_chan = 0;
 	u8 chan = 0;
 
 	wpa_s->next_scan_chan = 0;
@@ -671,8 +671,10 @@ static void wnm_set_scan_freqs(struct wpa_supplicant *wpa_s)
 				   MAC2STR(nei->bssid));
 			return;
 		}
-		if (nei->channel_number != chan)
+		if (nei->channel_number != chan) {
+			chan = nei->channel_number;
 			num_chan++;
+		}
 	}
 
 	if (num_chan == 1) {
@@ -692,6 +694,9 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
 {
 	unsigned int beacon_int;
 	u8 valid_int;
+#ifdef ESP_SUPPLICANT
+	bool scan_required = false;
+#endif
 
 	if (wpa_s->disable_btm)
 		return;
@@ -757,9 +762,11 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
 #ifdef ESP_SUPPLICANT
 			os_memset(wpa_s->next_scan_bssid, 0, ETH_ALEN);
 			wpa_s->next_scan_chan = 0;
-#endif
+			scan_required = true;
+#else
 			wpa_printf(MSG_DEBUG, "Trying to find another BSS");
 			wpa_supplicant_req_scan(wpa_s, 0, 0);
+#endif
 		}
 	}
 
@@ -871,6 +878,12 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
 				   "WNM: Scan only for a specific BSSID since there is only a single candidate "
 				   MACSTR, MAC2STR(wpa_s->next_scan_bssid));
 		}
+#ifdef ESP_SUPPLICANT
+		scan_required = true;
+	}
+	if (scan_required) {
+		wpa_printf(MSG_DEBUG, "Trying to find another BSS");
+#endif
 		wpa_supplicant_req_scan(wpa_s, 0, 0);
 	} else if (reply) {
 		enum bss_trans_mgmt_status_code status;
@@ -961,7 +974,7 @@ void ieee802_11_rx_wnm_action(struct wpa_supplicant *wpa_s,
 	switch (act) {
 	case WNM_BSS_TRANS_MGMT_REQ:
 		ieee802_11_rx_bss_trans_mgmt_req(wpa_s, pos, end,
-						 !(sender[0] & 0x01));
+						 0x01);
 		break;
 	default:
 		wpa_printf(MSG_ERROR, "WNM: Unknown request");
diff --git a/components/wpa_supplicant/src/esp_supplicant/esp_scan.c b/components/wpa_supplicant/src/esp_supplicant/esp_scan.c
index 2abfafb8c2..44cfe7be26 100644
--- a/components/wpa_supplicant/src/esp_supplicant/esp_scan.c
+++ b/components/wpa_supplicant/src/esp_supplicant/esp_scan.c
@@ -32,8 +32,7 @@
 
 extern struct wpa_supplicant g_wpa_supp;
 
-static void esp_scan_done_event_handler(void* arg, esp_event_base_t event_base,
-					int32_t event_id, void* event_data)
+static void scan_done_event_handler(void *arg, STATUS status)
 {
 	struct wpa_supplicant *wpa_s = &g_wpa_supp;
 
@@ -100,8 +99,6 @@ void esp_scan_init(struct wpa_supplicant *wpa_s)
 	wpa_s->scanning = 0;
 	wpa_bss_init(wpa_s);
 	wpa_s->last_scan_res = NULL;
-	esp_event_handler_register(WIFI_EVENT, WIFI_EVENT_SCAN_DONE,
-			&esp_scan_done_event_handler, NULL);
 }
 
 void esp_scan_deinit(struct wpa_supplicant *wpa_s)
@@ -109,8 +106,6 @@ void esp_scan_deinit(struct wpa_supplicant *wpa_s)
 	wpa_bss_deinit(wpa_s);
 	os_free(wpa_s->last_scan_res);
 	wpa_s->last_scan_res = NULL;
-	esp_event_handler_unregister(WIFI_EVENT, WIFI_EVENT_SCAN_DONE,
-			&esp_scan_done_event_handler);
 }
 
 int esp_handle_beacon_probe(u8 type, u8 *frame, size_t len, u8 *sender,
@@ -232,8 +227,10 @@ static int esp_issue_scan(struct wpa_supplicant *wpa_s,
 	wpa_s->type |= (1 << WLAN_FC_STYPE_BEACON) | (1 << WLAN_FC_STYPE_PROBE_RESP);
 	esp_wifi_register_mgmt_frame_internal(wpa_s->type, wpa_s->subtype);
 
+	typedef void (* scan_done_cb_t)(void *arg, STATUS status);
+	extern int esp_wifi_promiscuous_scan_start(wifi_scan_config_t *config, scan_done_cb_t cb);
 	/* issue scan */
-	if (esp_wifi_scan_start(params, false) < 0) {
+	if (esp_wifi_promiscuous_scan_start(params, scan_done_event_handler) < 0) {
 		ret = -1;
 		goto cleanup;
 	}