Tomcat Manager - Default Login Credentials

  • LAST UPDATED DATE: 2015/11/25
  • LAST UPDATED BY: @mubix


Default Tomcat Management credentials

Capabilities and Risk

This is to replace any "level" or "score" becuase of how much context is needed for a vulnerability to have one which is beyond the scope of this database.

  • List of possible uses for this vulnerability to give real-world uses
  • Read files as www-data (or use web server is running as)
  • DDoS service
  • Code execution (for this one to fly there needs to be a refence proving it)


Default credentials can be tried by authenticating witht the http Tomcat login. The list below contains default Tomcat credentials.


  • tomcat/tomcat
  • both/tomcat
  • role1/tomcat
  • manager/manager
  • admin/admin


Default accounts should be disabled or have their password reset.


  • Link to blog post
  • Link to CVE
  • Link to Metasploit module
  • Link to Nessus/NeXpose/Qualys write up


The tomcat management console can be accessed by navigating to the url: http://x.x.x.x:8080/manager

Want to contribute? Check out the readme and contribution page or Get in touch!
Last updated on 24th Jul 2019