It is really not a security flaw. It is the fact that you used a different kind of access list. The normal usage of access list for access-class on vty is to use a standard access list. A standard access list identifies a single address (or address range) that is permitted to have remote access. An extended access list makes the logic much more complex when it identifies two address ranges, which we usually interpret as source address and destination address.
One of the advantages of access-class is that the logic that applies it realizes that any address on the router might be the destination address. If you attempted to control remote access via access-group applied to interfaces, you would have to put in a line for every interface on the router with an IP address. The logic in access-class consolidates them and says that any access attempt to any interface on the router, and so it represents the destination as 0.0.0.0. It is a feature not a flaw.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...