Driven by ubiquitous digitalization and cyberattacks on critical infrastructure, there is a high interest in research on the security of cyber-physical systems. If an attacker gains access to protected and sensitive information, such as the internal states of a control system, this is considered a breach of confidentiality. Access to sensitive information can be the first step in a larger cyber-attack scheme, such as a stealthy false data injection attack. Considering process and measurement noise in the plant, existing research investigated when an attacker equipped with a Kalman filter can perfectly estimate the internal controller states if the attacker has access to plant measurements and all model parameters. For this estimate to converge, the controller is required to have stable poles. In this paper, we show that if the attacker has access to the control inputs instead of the plant measurements, the controller needs to have stable zeros. Additionally, we demonstrate that an attacker equipped with an Unknown Input Observer, using tools from delayed system inversion, can get a delayed yet perfect estimate of the controller states from the control inputs without knowledge of the plant's parameters and noise characteristics. Lastly, we present simulation results from a three-tank system to showcase the differences in controller state estimation.