This article studies the impact of stochastic stealthy false data injection attacks on the security of cyber-physical systems. The Kullback–Leibler divergence is used as the metric of stealthiness to detect the system anomalies. The attacker is able to inject false data into measurement and actuation channels at the same time. The goal of an attacker is to destabilize the systems while maintaining the Kullback–Leibler divergence under a certain threshold. First, in order to keep the stealthiness of attacks, the relationship between the threshold of Kullback–Leibler divergence and the upper bounds on the norms of mathematical expectation and covariance of the compromised innovation is given. Then, the sufficient and necessary conditions for the insecurity of systems are derived when all the measurement channels are compromised by an attacker. Furthermore, some sufficient conditions for the security of systems are presented in the cases that part of or no measurement channels are compromised. Finally, simulations are provided to illustrate the effectiveness of the obtained results.