- he has access to the device where the user selected 'remember this device for 30 days' or
- he can somehow bypass the login 2FA, because the user has selected 'remember this device for 30 days' on a device and he has stolen/intercepted the cookie or whatever is used for remembering this or
- he is in front of the device where the user is just logged in
In this case he can easily deactivate the 2FA. The only thing he has to do is entering the users password. The problem is that there is no 2FA required before deactivating (or otherwise modifying) the 2FA.
The same also applies to the password change. An attacker there also just have to enter the old password (and not pass the 2FA) to change it.