Comment from Simon Tatham:
CVE-2021-36367 refers to this new option as a fix for a vulnerability, and describes the vulnerability as “PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response”. With respect to the author of that text, we consider that to be misleading. It is perfectly legal for the server to waive authentication, and actually useful in some legitimate use cases; it is perfectly legal for PuTTY to proceed with the connection regardless; and the trust sigil system introduced in 0.71 already defends against every spoofing/phishing attack we know of that a server could attempt by doing this unexpectedly. This new option is a UI improvement, but not in and of itself a vital vulnerability fix.
The trivial authentication phishing attack is described in Trivial Authentication.