In this paper, we present a sensor attack on cyber-physical systems (CPSs), which can be constructed with limited knowledge of the target system and can remain stealthy until the attack succeeds. The target CPS consists of a physical plant with unstable linear dynamics and a feedback controller. Specifically, the attack mechanism is to impede the stabilizing function of the feedback controller by injecting false data to the sensors, where the false data are created using the unstable dynamics of the plant. When the only nominal model for the target dynamics is known, the stealthiness is maintained by deploying a mechanism similar to a disturbance observer (DOB) which can be designed to absorb the effect of the mismatch between the nominal and actual dynamics until the attack succeeds. The success of the attack is defined by the norm of the system state exceeding a threshold. Sensor attacks that exploit unstable plant dynamics had been conceived previously. Generation of such attacks require precise knowledge of the target system for stealthiness, i. e., the attack must cancel at the sensor exactly the effect of instability in order to avoid detection. When not exact, the mismatch grows exponentially leading to the detection of abnormality. The attack presented in this paper absorbs the mismatch using the DOB mechanism, where the degree of absorption is selected such that the detection is delayed until the attack succeeds. Thus, the proposed attack, compared to the conventional ones, poses a greater level of threat to CPS. In this paper, generation of the attack is presented, and the effect is analyzed. The consequence of the attack is illustrated and emphasized by simulations on quadrotors and inverted pendulums, respectively.