The Windows installer for Apache Tomcat defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.
A remote attacker can access the administrative console.
Users of all Tomcat versions may mitigate this issue by one of the following methods:
- Using the .zip or .tar.gz distributions
- Specifying a strong password for the admin user when using the Windows installer [l/i]
- Removing the admin user from the tomcat-users.xml file after the Windows installer has completed
- Editing the tomcat-users.xml file to provide the admin user with a strong password after the Windows installer has completed
A patch for this issue  has been applied to trunk and will be included in the next releases of 6.0.x and 5.5.x References
Apache Tomcat Windows Installer insecure default administrative password